IBM Data Platform Ideas Portal for Customers
This portal is to open public enhancement requests against products and services offered by the IBM Data Platform organization. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).
Shape the future of IBM!
We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:
Search existing ideas
Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,
Post your ideas
Post ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,
Post an idea
Upvote ideas that matter most to you
Get feedback from the IBM team to refine your idea
Specific links you will want to bookmark for future use
Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.
IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.
ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.
IBM Employees should enter Ideas at https://ideas.ibm.com
https://streamsets.atlassian.net/wiki/x/OwAJGAE
Customer requires using AWS IAM roles only (no static access keys) to retrieve secrets from AWS Secrets Manager located in different AWS accounts than the one where the StreamSets engine is running.
Current setup:
StreamSets engine runs on EC2 in Account A using an instance profile
Database credentials are stored in Secrets Manager in other AWS accounts
Instance profile in Account A is allowed to assume a cross-account role (STS) with permissions to read those secrets
Observed behavior:
When the AWS Secrets Manager credential store is configured to use Instance Profile, StreamSets always uses the engine’s instance profile role directly
StreamSets does not perform an explicit STS AssumeRole, even if the instance profile is allowed to assume another role
As a result, access to cross-account secrets fails with
AccessDeniedConclusion
This is a current product limitation, not a customer misconfiguration.
AWS Secrets Manager credential stores in SDC do not support explicit cross-account role assumption today.
Customer impact
Blocks migration away from static AWS credentials
Affects multiple stages that rely on credential stores
Immediate impact on Binary Log Origin (CDC) but applicable across all AWS-based origins/processors
Security-driven requirement (IAM-only, enterprise best practice)
Workarounds (not ideal)
Grant direct Secrets Manager permissions to the engine’s instance profile, or
Replicate secrets into the same AWS account as the StreamSets engine
Customer has indicated these are not aligned with their security direction.
Product direction / Ask
Feature request to support STS AssumeRole at the AWS Secrets Manager credential store level, optionally configurable with:
Role ARN
External ID (if required)
This would provide a consistent, reusable solution across all stages using credential stores.
Hi PM team, is there any update on this request?