Page tree

Outdated release! Latest docs are Release 8.2: API Workflow - Manage AWS Configurations

   

For the latest updates on available API endpoints and documentation, see api.trifacta.com.

Contents:


Overview

The Trifacta® platform supports several methods of authenticating to AWS resources. At the topmost level, authentication can be broken down into two modes: system and user.
  • System mode: One set of credentials is used for each user of the platform to authenticate to AWS.
  • User mode: Individual user accounts must be configured with AWS credentials.

    NOTE: This section covers how to manage AWS credentials for individual users (user mode). When in system mode, please manage AWS configuration through the application.

To connect to AWS resources and access S3 data, the following information is required for each user:

 

ItemDescription
credential provider type

For user mode, the following types of credential provider are supported:

  • default - user must provide an AWS key/secret combination
  • temporary - temporary authentication is provided based on a specified IAM role
  • instance - authentication is provided based on an EC2 instance role
role

(credential provider type is temporary) The IAM role to use to authenticate.

key/secret(credential provider type is default) The AWS key and secret for the user to authenticate
default bucketThe default S3 bucket where the user can upload data and store generated results
extra bucketsAny extra S3 buckets to which the user should have access

The above pieces of information must be provided for each user. To facilitate, the Trifacta platform supports the awsConfig object, which contains all of the above information. An awsConfig object is a set of AWS configuration properties that can be created, modified, and assigned to individual users via API. This workflow steps through that process.

Basic Workflow

  1. Acquire information.
  2. Create an awsConfig object.
  3. Modify the object as needed.

  4. Locate the internal identifier for the user to which to assign the configuration object.
  5. Assign the awsConfig object to a user.
  6. Verify that the assignment is working.

Step - Acquire information

Acquire all of the information listed above for the awsConfig object you wish to create. In this example, the credential provider type is set to temporary, which means that authentication is determined by an IAM role.

Step - Create awsConfig object

Create the AWS configuration object.

Request:

Endpointhttp://www.wrangle-dev.example.com:3005/v4/awsConfigs
AuthenticationRequired
MethodPOST
Request Body
{
    "mode": "user",
    "credentialProvider": "temporary",
    "role":"<my_iam_role>",
    "defaultBucket":"main_bucket",
    "extraBuckets":["extra-bucket1","extra-bucket2"]
}

Response:

Status Code201 - Created
Response Body
{    "extraBuckets": [
        "extra-bucket1",
        "extra-bucket2"
    ],
    "id": 6,
    "credentialProvider": "temporary",
    "role": "<my_iam_role>",
    "defaultBucket": "main_bucket",
    "updatedAt": "2019-04-16T23:06:32.049Z",
    "createdAt": "2019-04-16T23:06:32.047Z",
    "externalId": null,
    "credential": null
}

Checkpoint: In the above, the awsConfig object has an internal identifier (id=6). Retain this information for later.

For more information, see API AWSConfigs Create v4.

Step - Modify awsConfig object

Suppose you realize that there is missing extra bucket (extra-bucket3) and that the role you specified is incorrect. You can use the following method to modify the created configuration object.

NOTE: When modifying an awsConfig object, you only need to include the parameters that you are modifying in the request. You must include the full value of the parameters, so all buckets must be listed in the following example.

Request:

Endpointhttp://www.wrangle-dev.example.com:3005/v4/awsConfigs/2
AuthenticationRequired
MethodPUT
Request Body
{
    "role": "<my_iam_role2>",
    "extraBuckets":["extra-bucket1","extra-bucket2", "extra-bucket3"]
}

Response:

Status Code200 - Ok
Response Body
{    "extraBuckets": [
        "extra-bucket1",
        "extra-bucket2",
        "extra-bucket3"
    ],
    "id": 6,
    "credentialProvider": "temporary",
    "role": "<my_iam_role2>",
    "defaultBucket": "main_bucket",
    "updatedAt": "2019-04-16T23:06:32.049Z",
    "createdAt": "2019-04-16T23:06:32.047Z",
    "externalId": null,
    "credential": null
}

Step - Locate user

Now, you need to locate the internal identifier for the user to which you wish to assign this AWS configuration.

Request:

Endpointhttp://www.wrangle-dev.example.com:3005/v4/people
AuthenticationRequired
MethodGET
Request Body

None.

 

Response:

Status Code200 - Ok
Response Body
{
    "data": [
        {
            "id": 3,
            "email": "4070250@example.com",
            "name": "Test User4070250",
            "ssoPrincipal": null,
            "hadoopPrincipal": null,
            "isAdmin": false,
            "isDisabled": false,
            "forcePasswordChange": false,
            "state": "active",
            "lastStateChange": null,
            "createdAt": "2019-04-16T16:27:51.143Z",
            "updatedAt": "2019-04-16T16:27:56.630Z",
            "outputHomeDir": "/trifacta/queryResults/4070250@example.com",
            "fileUploadPath": "/trifacta/uploads",
            "awsConfig": {
                "id": 2
            }
        },
        {
            "id": 2,
            "email": "32870@example.com",
            "name": "Test User32870",
            "ssoPrincipal": null,
            "hadoopPrincipal": null,
            "isAdmin": false,
            "isDisabled": false,
            "forcePasswordChange": false,
            "state": "active",
            "lastStateChange": null,
            "createdAt": "2019-04-16T16:27:19.511Z",
            "updatedAt": "2019-04-16T16:27:26.703Z",
            "outputHomeDir": "/trifacta/queryResults/32870@example.com",
            "fileUploadPath": "/trifacta/uploads",
            "awsConfig": {
                "id": 1
            }
        },
        {
            "id": 1,
            "email": "<admin_email>",
            "name": "Administrator",
            "ssoPrincipal": null,
            "hadoopPrincipal": null,
            "isAdmin": true,
            "isDisabled": false,
            "forcePasswordChange": false,
            "state": "active",
            "lastStateChange": null,
            "createdAt": "2019-04-16T07:44:04.299Z",
            "updatedAt": "2019-04-16T16:28:16.379Z",
            "outputHomeDir": "/trifacta/queryResults/admin@trifacta.local",
            "fileUploadPath": "/trifacta/uploads",
            "awsConfig": {
                "id": 3
            }
        }
    ]
}

 

 

Checkpoint: In the above, you noticed that userId=2 is associated with awsConfig object id=1. Retain this userId for later.

 

For more information, see API AWSConfigs Put v4.

Step - Assign awsConfig to User

Now, you can assign the awsConfig (id=6) to the user you identified in the previous step (userId=2)

 

Request:

Endpointhttp://www.wrangle-dev.example.com:3005/v4/people/2/awsConfigs/6
AuthenticationRequired
MethodPUT
Request Body

None.

 

Response:

Status Code200 - Ok
Response Body
[
    {
        "id": 2,
        "email": "32870@example.com",
        "name": "Test User32870",
        "ssoPrincipal": null,
        "hadoopPrincipal": null,
        "isAdmin": false,
        "isDisabled": false,
        "forcePasswordChange": false,
        "state": "active",
        "lastStateChange": null,
        "createdAt": "2019-04-16T16:27:19.511Z",
        "updatedAt": "2019-04-16T16:27:26.703Z",
        "outputHomeDir": "/trifacta/queryResults/32870@example.com",
        "fileUploadPath": "/trifacta/uploads",
        "awsConfig": {
            "id": 6
        }
    }
]

 

 

Checkpoint: User id=2 now uses awsConfig id=6 to authenticate and connect to AWS resources.

Step - Verify Authentication

To verify that the above configuration works:

  1. User id=2 to should login to the application.
  2. User uploads assets through the Import Data page.
  3. User creates a short recipe that modifies these assets.
  4. User runs a job on that recipe to generate output to the default S3 bucket in CSV or JSON for downloading.
  5. User verifies that the results can be downloaded.

Checkpoint: You're done.

This page has no comments.