Skip to main content
RisingWave Cloud exposes a set of environment-specific metadata values for each project. These values are required when setting up cross-account access (IAM role assume) and PrivateLink connections. All values are read-only and are generated automatically when a project is created.

Where to find cloud metadata

In the RisingWave Cloud Console, go to your project and click Connection in the left sidebar. Then select the Cloud Meta tab.
Cloud Meta tab in the Connection page of the RisingWave Cloud Console
Cloud metadata is only available for projects on the Standard plan or above.

Metadata fields

Workload Identity (IAM Role ARN)

FieldExample value
Workload Identity (IAM Role ARN)arn:aws:iam::023339134545:role/g1jk13sq56ejdref71h1cvokbh-role
The AWS IAM role ARN that RisingWave Cloud uses to access AWS resources on behalf of this project. When you configure IAM role assume (cross-account S3 access), you add this ARN as a trusted principal in your IAM role’s trust policy.
FieldExample value
PrivateLink Principalarn:aws:iam::023339134545:role/test-useast1-eks-a-cloudagent-role
The AWS principal associated with the RisingWave Cloud deployment that hosts your project. When you create a PrivateLink endpoint service in your AWS account, add this principal to the list of Allowed principals so that RisingWave Cloud can connect to your service.

Egress public IPs

FieldExample value
Egress public IPs203.0.113.10, 203.0.113.11
The public IP addresses from which outbound traffic from this project originates. Add these IPs to the allowlist of any firewall rules or security groups that restrict inbound access to your services (for example, a database or Kafka cluster that RisingWave connects to).

Cloud metadata by platform

Metadata fieldAWSGCPAzure
Workload Identity (IAM Role ARN)✅ (service account email)✅ (managed identity resource ID)
PrivateLink Principal✅ (AWS account ARN)✅ (GCP project number)✅ (Azure subscription ID)
Egress public IPs
GCP and Azure metadata field names differ from the AWS equivalents. The Console labels each field for the platform of your project.

Next steps

  • Set up IAM role assume — use the IAM role ARN to grant RisingWave Cloud cross-account S3 access.
  • Configure PrivateLink — use the PrivateLink Principal when setting up your endpoint service’s allowed principals.