Skip to Main Content
IBM Data and AI Ideas Portal for Customers

This portal is to open public enhancement requests against products and services offered by the IBM Data & AI organization. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (

Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

Post ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea

Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal ( - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal ( - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM. - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

IBM Data & AI Roadmaps ( - Use this site to view roadmaps for Data & AI products.

IBM Employees should enter Ideas at

Status Future consideration
Workspace Watson Studio
Components Watson Studio
Created by Guest
Created on Apr 24, 2021

AWS IAM Role Compatibility with S3 Connections

Problem Statement/Pain Points: We work with a government agency who has specific security requirements and we are utilizing Cloud Pak for Data within their environment. They have a need for utilizing S3 Data Connections to resources in AWS GovCloud. Currently, Cloud Pak for Data S3 Data Connections only allow Access Key/Secret Key to authenticate to the service. However, we are required to utilize more secure connection options than username/password (which is essentially the same as an Access Key/Secret Key). However, since IAM Role credentials are not stored within the application, then we are able to avoid this issue.

State your current workaround(s): We are currently utilizing Access Keys and Secret Keys and therefore have to enter a POAM with our client in order to remain compliant.

State any proposed solution(s): Allow user to have the ability to utilize either Access Keys and Secret Keys or AWS IAM Roles with S3 Connections. With IAM Roles, an application or a service offered by AWS (like Amazon EC2) can assume a role by requesting temporary security credentials for a role with which to make programmatic requests to AWS. You use a role this way so that you do not have to share or maintain long-term security credentials (for example, by creating an IAM user with Access Key and Secret Key) for each entity that requires access to a resource. An apparent limitation of this is that it limits the number of unique S3 Data Connections that we are allowed while using IAM Roles (since the roles would be assigned to the EC2 Cloud Pak for Data nodes). Therefore, we are interested in alternative solutions to meet this need while overcoming this limitation.

State the benefits/value this idea has: Per AWS best practices, for applications on Amazon EC2 or other AWS services to access Amazon S3 resources, they must include valid AWS credentials in their AWS API requests. You should not store AWS credentials directly in the application or Amazon EC2 instance. These are long-term credentials that are not automatically rotated and could have a significant business impact if they are compromised. Instead, you should use an IAM role to manage temporary credentials for applications or services that need to access Amazon S3. When you use a role, you don't have to distribute long-term credentials (such as a user name and password or access keys) to an Amazon EC2 instance or AWS service such as AWS Lambda. The role supplies temporary permissions that applications can use when they make calls to other AWS resources. []

State # of users impacted and how often are they impacted): All users utilizing AWS S3 Buckets within Cloud Pak for Data would benefit

Needed by Date Apr 26, 2022
  • Guest
    Apr 28, 2021

    This would be a great benefit to Federal organizations that have a mandate to use a more secure method of authentication than hardcoded keys/secrets. Using roles would also provide greater flexibility in access while maintaining high level of security.

  • Guest
    Apr 26, 2021

    This is a much needed service, and any gov organization is going to run into a compliance issue utilizing the AWS Access Key/Secret vs the IAM role to support this connection. Having the ability to utilize the IAM role within CP4D would greatly benefit maintaining the Security and Compliance of CP4D.