Integrations

AWS

Connect Conductor to AWS for S3, EC2, Lambda, RDS, and CloudWatch access. Covers IAM setup, credential configuration, required policies, and all available tools.

IAM users vs roles

IAM Users — have long-lived access keys (access key ID + secret). Use these when running Conductor on your local machine or any environment where you cannot attach an IAM role directly.

IAM Roles — provide temporary credentials via the instance metadata service. Use these when Conductor runs on an EC2 instance, ECS task, or Lambda function. Roles are strongly preferred: no keys to rotate, no secrets to store.

Never use root account credentials. Create a dedicated IAM user named conductor-bot with only the permissions it needs.

Creating access keys

1.Go to IAM → Users → conductor-bot → Security credentials
2.Click Create access key — choose "Application running outside AWS"
3.Copy the access key ID and secret — the secret is only shown once
4.Store the secret in a password manager or secrets manager immediately

aws cli — create key

# In AWS CLI after creating an IAM user
aws iam create-access-key --user-name conductor-bot

AWS CLI profiles

Credentials and region config live in ~/.aws/credentials and ~/.aws/config. You can name a profile and reference it in the Conductor config with the profile field.

~/.aws/credentials and ~/.aws/config

# ~/.aws/credentials
[conductor]
aws_access_key_id = AKIAIOSFODNN7EXAMPLE
aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

# ~/.aws/config
[profile conductor]
region = us-east-1
output = json

Environment variables

Environment variables take precedence over the config file. Useful in CI/CD or containerized environments where you cannot write files. Set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION.

shell environment

# Environment variables (alternative to config file)
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-east-1

Conductor config

Add the AWS plugin block to your Conductor config. If you use a named AWS profile, set the profile field and omit accessKeyId/ secretAccessKey. When running on EC2 or ECS with an attached role, all credential fields can be omitted entirely.

conductor.config.json

{
  "plugins": {
    "aws": {
      "accessKeyId": "AKIAIOSFODNN7EXAMPLE",
      "secretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
      "region": "us-east-1",
      "profile": "default"
    }
  }
}

Required IAM policies

Create an inline or managed policy for each service your use case requires. Attach all needed policies to the conductor-bot IAM user or role.

S3 policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::*",
        "arn:aws:s3:::*/*"
      ]
    }
  ]
}

EC2 policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeInstances",
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeRegions"
      ],
      "Resource": "*"
    }
  ]
}

Lambda + CloudWatch Logs policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lambda:ListFunctions",
        "lambda:GetFunction",
        "lambda:InvokeFunction",
        "logs:FilterLogEvents",
        "logs:DescribeLogGroups"
      ],
      "Resource": "*"
    }
  ]
}

RDS Data API policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds:DescribeDBInstances",
        "rds:DescribeDBClusters",
        "rds-data:ExecuteStatement",
        "rds-data:BatchExecuteStatement"
      ],
      "Resource": "*"
    }
  ]
}

CloudWatch Metrics + Logs policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricStatistics",
        "cloudwatch:ListMetrics",
        "logs:GetLogEvents",
        "logs:FilterLogEvents",
        "logs:DescribeLogGroups",
        "logs:DescribeLogStreams"
      ],
      "Resource": "*"
    }
  ]
}

Available tools

Tool	Description
s3.list	List all S3 buckets or objects within a bucket.
s3.get	Download the contents of an S3 object.
s3.put	Upload content to an S3 object at a given key.
s3.delete	Delete an S3 object by bucket and key.
ec2.list	List EC2 instances with status and metadata.
ec2.start	Start a stopped EC2 instance by instance ID.
ec2.stop	Stop a running EC2 instance by instance ID.
ec2.describe	Get full details for a specific EC2 instance.
lambda.list	List all Lambda functions in the configured region.
lambda.invoke	Invoke a Lambda function synchronously or asynchronously.
lambda.get	Get configuration and metadata for a Lambda function.
lambda.get-logs	Fetch recent CloudWatch log events for a Lambda function.
rds.list	List all RDS instances and Aurora clusters.
rds.query	Execute a SQL query via RDS Data API (Aurora Serverless v2).
cloudwatch.get-metrics	Retrieve CloudWatch metric statistics for a namespace/metric.
cloudwatch.logs	Fetch and filter CloudWatch log events from a log group.

Rate limits and retries

AWS API limits vary by service and account tier. Conductor automatically retries throttled requests with exponential backoff on ThrottlingException and RequestLimitExceeded. Notable limits: S3 GET/PUT — 5,500/3,500 requests/second per prefix; Lambda — 10 concurrent invocations by default (soft limit, can be raised); EC2 Describe — 100 requests/second. For high-frequency workloads, request a limit increase via the Service Quotas console.

Common errors

Error	Cause	Fix
NoCredentialsError	No credentials found anywhere in the credential chain.	Set accessKeyId/secretAccessKey in config, or configure AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.
InvalidClientTokenId	The access key ID does not exist or is not active.	Verify the key in IAM → Users → Security credentials. Ensure the key is active, not deleted.
AccessDenied	Credentials are valid but the IAM user lacks permission for the action.	Attach the required inline or managed policy to the IAM user or role. Check the specific action in the error message.
Region mismatch	The configured region does not match where the resource exists.	Set the correct region in config or use AWS_DEFAULT_REGION. S3 buckets require the region where they were created.
EndpointResolutionError	Service endpoint could not be resolved — often a typo in region or unsupported region for a service.	Check that the region string is valid (e.g., us-east-1, not us-east1). Verify the service is available in that region.
RequestExpired	System clock is too far out of sync with AWS servers.	Sync your system clock. On Linux: sudo ntpdate -u pool.ntp.org. On macOS: system time sync settings.

Security best practices

—Never use root account access keys. Root keys cannot be scoped to specific actions.
—When Conductor runs on EC2, attach an IAM role to the instance. Use instance metadata credentials rather than long-lived keys.
—When Conductor runs inside a Lambda function, the function execution role provides credentials automatically.
—Rotate access keys every 90 days. Use IAM Access Analyzer to audit permissions.
—Enable CloudTrail to log all API calls made by Conductor credentials.
—Scope IAM policies to specific resources (bucket ARNs, function ARNs) wherever possible instead of using wildcards.

All integrations