This guide applies only to work pools of type
prefect:managed.Assume IAM Roles in Amazon Web Services
Prefect Cloud can assume an AWS IAM role on your behalf and inject short-lived AWS credentials into each flow run. This lets your runs access AWS services and pull code without storing static IAM access keys in Prefect Cloud.How it works
When a flow run starts in a Prefect Managed work pool, Prefect Cloud uses AWS STSAssumeRoleWithWebIdentity to assume the IAM role you configure.
Prefect Cloud then injects these environment variables into the runtime environment:
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_SESSION_TOKENAWS_REGION
Create the IAM identity provider
For a Prefect Managed work pool to assume a role, you must create an OpenID Connect (OIDC) identity provider in your AWS account for Prefect Cloud’s token issuer. You only need to do this once per AWS account.arn:aws:iam::123456789012:oidc-provider/api.prefect.cloud/oidc-provider.
Use that ARN in the trust policy for any IAM role that Prefect Cloud should assume.
Configure the IAM role
For Prefect Cloud to assume a role, you must add a trust relationship allowingsts:AssumeRoleWithWebIdentity from the OIDC provider you created in the previous step.
An example trust relationship policy looks like this:
trust-policy.json
permissions-policy.json
Configure workload identity on the work pool
In Prefect Cloud, open the configuration page for a work pool of type Prefect Managed. At the bottom of the configuration form, expand Federated Identity and set these fields:AWS Role ARN: the IAM role ARN that Prefect Cloud should assumeAWS Region Name: the AWS region to inject into the runtime environment asAWS_REGION
Update an existing work pool schema
If the Federated Identity section does not appear for an existing Prefect Managed work pool, refresh its base job template with the latest managed schema. The following examples:- read the work pool’s current
base_job_template - fetch the latest default template for
prefect:managed - deep-merge the new template with your current configuration
- update the work pool with the merged result
- Shell script
- Python
update-pool.sh
Both examples preserve your existing
base_job_template values while adding new fields from the latest managed template. The shell script requires the Prefect CLI and jq. The Python example uses the Prefect client to read worker metadata and update the work pool directly.Override workload identity for a single deployment
If different deployments in the same work pool need different AWS roles, setfederated_identity in deployment job_variables.
This overrides the work pool default for that deployment only.
The following example uses an S3 pull step and configures a deployment-specific AWS role:
prefect.yaml
prefect_aws.deployments.steps.pull_from_s3 can use the assumed role without an AwsCredentials block or static access keys.
Assume a second role from the workload identity role
Should your flow need to access multiple AWS accounts or assume additional roles in the same account, you can configure the workload identity role as a springboard role. You can access these additional roles by usingsts:AssumeRole with an appropriately configured trust relationship and permissions policy.
For example, if Prefect Cloud first assumes arn:aws:iam::123456789012:role/prefect-managed-s3-reader, a second role, such as arn:aws:iam::123456789012:role/application-admin, can trust that role directly:
springboard-trust-policy.json
sts:AssumeRole on the second role:
springboard-permissions-policy.json
prefect-aws integration, you can also configure an AwsCredentials block to assume the second role.
In this case, the block relies on the temporary credentials that Prefect Cloud injected from the workload identity role:
AwsCredentials.load("application-admin-role")) and assume arn:aws:iam::123456789012:role/application-admin without storing another long-lived AWS credential.