Robocorp-hosted containers

Robocorp-hosted Cloud Workers are implemented as containers running on Amazon Elastic Container Service (ECS). The containers have a specific IAM role that can be utilized for granting permissions to AWS resources on your account.

Use cases:

• Accessing parameters from AWS Systems Manager Parameter Store or secrets from Secret Manager
• Accessing objects from S3
• Interacting with Redshift DATA API
• Installing private dependencies from AWS CodeArtifact

Technically, this is done by invoking AWS STS AssumeRole operation from the task to assume a role that grants access to your infrastructure.

• The task is running with role arn:aws:iam::ACCOUNT_ID:role/RobocorpRobotRole. Robocorp utilizes multiple AWS accounts for hosting the containers and ACCOUNT_ID depends on your deployment. Please get in touch with your Customer Success representative to get the account ID for your deployment.
• The task role has permission to assume any role matching the pattern arn:aws:iam::*:role/RobocorpRobotAssumableRole*. Therefore you can create any IAM role starting with RobocorpRobotAssumableRole on your account and assume it from the robot.
• We recommend always requiring an External ID on the role to prevent unauthorized usage. External ID can be configured e.g. in Control Room Vault for the task to access.