Release 6.0.2
Page tree


Support | BlogContact Us 

Release 6.0.2

Contents:

Expand all   Collapse all

   

Contents:

For  Designer Cloud Enterprise Edition, you can configure AWS authentication on a per-user basis, using temporary credentials for superior security. 

Enable

The following parameters must be set:

PropertyDescription
"aws.readFromConfigurationService": false,

Set this value to false for Designer Cloud Enterprise Edition, which prevents the product from retrieving AWS-related configuration information from the incorrect source.

"aws.mode": "user",

Each user can specify credentials.


"feature.showAWSTemporaryCredentialProviderOption": true,

  • If true, then an IAM role must be provided for each user:

    Tip: This method is recommended.


    • Individual users can provide an IAM role in the User Profile page.

    • Alteryx administrators can manage S3 access for individual users through the Admin Settings page. See Manage Users.
    • See the following parameter.

  • If false, then users must provide less secure AWS key/secret combinations in their User Profile page.

    NOTE: If this parameter is false, do not complete any more configuration in this section. Individual users must provide key/secret combinations. See User Profile Page.

If feature.showAWSTemporaryCredentialProviderOption is enabled, then you can authenticate to AWS services from the Designer Cloud Powered by Trifacta platform using an IAM role:

PropertyDescription
"aws.ec2InstanceRoleForAssumeRole": true,


  • If true, then all users use the EC2 instance role for authenticating to the AWS STS service for their temporary credentials.

    NOTE: You must ensure that the role provides adequate access to STS. Details are below.

    Tip: This method is recommended.

  • If false, then a system-wide set of AWS key/secret credentials must be inserted into platform configuration in the Admin Settings page as the master set of credentials to access STS for temporary credentials:

    Properties to set:

    "aws.s3.key"
"aws.s3.secret"

    NOTE: After specifying the above key/secret combination, you can skip to the User Access section below.



Configure Per-User Authentication using IAM Role

Please complete the following general steps.

Steps:

  1. Instance role: Create an IAM role and link it to the EC2 instance where the Alteryx node is hosted. Include the following IAM policy: 

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::*:role/*"
        }
    ]
}

  2. User role: Create another IAM role and provides required access to the S3 buckets. Example:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MyBucketAndObjectPermissions",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<my_s3_bucket>",
                "arn:aws:s3:::<my_s3_bucket>/*"
            ]
        },
        {
            "Sid": "TrifactaPublicDatasets",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::trifacta-public-datasets/*",
                "arn:aws:s3:::trifacta-public-datasets"
            ]
        }
    ]
}

    where:
    <my_s3_bucket> is the name of your bucket.

  3. Under the user role definition, edit the Trust relationship. Add the instance role to Principal:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::       {awsAccountId}:role/{instanceRole}"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}


    1. For more information, see Insert Trust Relationship in AWS IAM Role.

    2. For more granular control over the Trust relationship, see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html.

  4. Log in the Designer Cloud Powered by Trifacta platform as a Alteryx admin.

  5. Click the link to specify storage settings. Populate the values for:
    1. IAM role
    2. Role ARN
    3. S3 Bucket Name

  6. Save your changes.

User Access

After per-user authentication has been enabled, each user must provide or be provided the IAM role and S3 bucket to use. Users can insert a default S3 bucket and IAM role to use for temporary credentials in their profiles. See User Profile Page.

Send Feedback

This page has no comments.

© 2013-2023 Alteryx® Inc Privacy Policy  |  Terms of Use