Create IAM Role
OtterTune uses an IAM role to establish a trusted relationship with your Amazon account. The role policy includes an External ID to designate who can assume the role. This is the preferred method for interacting with 3rd party accounts according to the AWS IAM User Guide. OtterTune randomly generates an External ID for each organization.
Important You only have to create the IAM role once for your organization. OtterTune will prompt you to create the IAM role the first time a user adds a database to your organization. If you have already completed this step, then proceed to Add Database. If you would like to replace an existing OtterTune, IAM role connection, view Update IAM Role.

OtterTune Console

  1. 1.
    Navigate to and sign in with your credentials.
  2. 2.
    Select + New Database.
  3. 3.
    The page should look like the screenshot below if your organization has not created the IAM role yet. If you have already set up the IAM role, proceed to the Add Database instructions. Take note of the External ID that will be used to create the role in the next step.

IAM Role Setup

Choose a method for setting up the necessary AWS role. Automatic Setup with CloudFormation is recommended.

Automatic Setup with CloudFormation

  1. 1.
    Select "CloudFormation" and then Quick Create IAM Role from the OtterTune console.
  2. 2.
    Log in to the AWS console.
  3. 3.
    On the CloudFormation form:
    1. 1.
      Copy/paste the External ID from the OtterTune console into the form.
    2. 2.
      Optionally input the AWS DB Parameter Group ARNs for the databases you wish to tune into the form. This information is needed for tuning only (not monitoring) but can be updated later on.
    3. 3.
      Check the acknowledgment box at the bottom of the form.
    4. 4.
      Select Create stack.

Automatic Setup with Terraform

  1. 1.
    Install Terraform.
  2. 2.
    Select "Terraform" from the OtterTune console.
  3. 3.
    Copy the Terraform configuration snippet from the OtterTune console.
  4. 4.
    Navigate to the relevantOtterTune Terraform registry for additional documentation.
  5. 5.
    Paste the snippet copied from Step 3 into your local Terraform configuration containing AWS provider information. If you do not already have one, you may see an error regarding this case, navigate to the AWS registry documentation for instructions on setting up AWS with Terraform.
  6. 6.
    Run terraform init from the directory of your Terraform configuration.
  7. 7.
    Optionally run terraform plan to preview the changes. Run terraform apply to complete the IAM role creation.

Manual Setup from the AWS Console

  1. 1.
    To begin the role creation steps, navigate to the AWS IAM Console.
  2. 2.
    Select Another AWS account for the trusted entity type.
  3. 3.
    For the Account ID, enter 691523222388. This is OtterTune's AWS account ID.
  4. 4.
    Select Require external ID and enter the external ID generated by OtterTune.
  5. 5.
    Select Next: Permissions.
  6. 6.
    Select Create policy. This will open a new window.
  7. 7.
    Select the JSON tab and copy the policy below into the text box.
  8. 8.
    Select Next: Tags.
  9. 9.
    Select Next: Review.
  10. 10.
    For the Name, enter a descriptive policy name such as OtterTuneDBPolicy.
  11. 11.
    Select Create Policy. You can now close this window and return to the role creation steps.
  12. 12.
    Select the refresh button. Then enter the policy name you chose in step 10 into the search box and select the policy when it appears in the list of results.
  13. 13.
    Select Next: Tags.
  14. 14.
    Select Next: Review.
  15. 15.
    For the Role name, enter a descriptive name such as OtterTuneRole.
  16. 16.
    Select Create role.

OtterTune IAM Role Policy (JSON)

"Version": "2012-10-17",
"Statement": [
"Action": [
"Resource": [
"Effect": "Allow"
"Action": [
"Resource": [
"Effect": "Allow"

Enter the IAM Role ARN

After creating the IAM role, switch back to the OtterTune console and submit the ARN of the created role to complete the connection. The role ARN has the following form:
arn:aws:iam::<your-account>:role/<ottertune-role-name> You can construct the ARN by replacing <your-account> and <ottertune-role-name> (OtterTuneRole by default) with their respective values. Alternatively, you can copy the ARN from the AWS IAM console by selecting the role. Then select Submit.
This will send you to the next page to add your database. We discuss these steps on the next page.

Update IAM Role

If at anytime, you would like to replace your existing IAM role connection with OtterTune, you can select the icon
in the top right of your screen and select Change IAM Role. Afterwards, proceed to follow the same steps as IAM Role Setup.