To access the following AWS resources, you must configure your AWS account or accounts with the listed permissions. These permissions can be applied through AWS access key/secret combinations or through IAM roles applied to the account.
All access to S3 sources occurs through a single AWS account (system mode) or through an individual user's account (user mode). For either mode, the AWS access key and secret combination must provide access to the default bucket associated with the account.
NOTE: These permissions should be set up by your AWS administrator.
Read-only access polices
NOTE: To enable viewing and browsing of all folders within a bucket, the following permissions are required:
- The system account or individual user accounts must have the
ListAllMyBucketsaccess permission for the bucket.
- All objects to be browsed within the bucket must have Get access enabled.
The policy statement to enable read-only access to your default S3 bucket should look similar to the following. Replace
3c-my-s3-bucket with the name of your bucket:
Write access polices
Write access is enabled by adding the
DeleteObject actions to the above. Replace
3c-my-s3-bucket with the name of your bucket:
Other AWS policies for S3
Policy for access to Alteryx public buckets
To access S3 assets that are created by Alteryx Inc, you must apply the following policy definition to any IAM role that is used to access the Designer Cloud Enterprise Edition. These buckets contain demo assets:
NOTE: Product walkthroughs must be enabled. For more information, see Workspace Settings Page.
For more information on creating policies, see https://console.aws.amazon.com/iam/home#/policies.
If any accessible bucket is encrypted with KMS-SSE, another policy must be deployed. For more information, see https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html.
Attribute-based access to S3
If you are using IAM roles to provide per-user access to S3, you can apply AWS session tags to any request for S3 resources, which allows you to leverage your enterprise permissioning to S3 based on the user identifier. IAM policies must be modified, and this feature must be enabled. For more information, see Configure AWS Per-User Auth for Temporary Credentials.
Since Redshift requires S3 to be used, to enable read/write access to Redshift using an IAM role, the sole additional requirement to the above is to add the
GetClusterCredentials permission to the IAM role used for S3. A policy statement similar to the following example needs to be included as part of any IAM role used by the Designer Cloud Powered by Trifacta platform users to access AWS resources.
The following example policy adds the
GetClusterCredentials permission for the specified AWS user (
aws:userid). This user is permitted to get cluster credentials for three different resources:
- a personal Redshift cluster
For more information on getClusterCredentials, see https://docs.aws.amazon.com/redshift/latest/APIReference/API_GetClusterCredentials.html.
If you are creating a connection to your AWS-based Snowflake deployment, you must specify the following policies in the operative IAM role(s) for each S3 bucket:
If you are creating your own Snowflake stage, it must point to the default S3 bucket in use by Designer Cloud Enterprise Edition. The policy that you created for read-write access to S3 should be applied to the Snowflake user.
NOTE: If users in your deployment are using IAM roles in user mode for AWS access, then the Snowflake stage must have permissions to write to the user's S3 bucket.
You must create a separate policy to permit access to the S3 bucket that backs your AWS-based Snowflake deployment. The following example permission provides the minimum set of permissions.
s3:GetBucketLocationis required for access to the S3 bucket that Snowflake requires for itself.
- The additional
s3:DeleteObjectpermissions are required only if you plan to unload files to the bucket or automatically purge the files after loading them into a table.
<snowflake_bucket_name>= the name of the S3 bucket that is used by Snowflake
<prefix>= the folder path prefix within the bucket. This value can be omitted if it is not required.
StringLikedefinition grants access to all prefixes on the bucket.
NOTE: If your bucket or prefixed path contains more than 1000 files, you may encounter the following error:
Access Denied (Status Code: 403; Error Code: AccessDenied).
To address the above error, specify the
StringLikecondition with the following change. This change allows access to all files while eliminating the condition that causes the above error:
For more information, see https://docs.snowflake.com/en/user-guide/data-load-s3-config-aws-iam-user.html.
Additional permissions to access EMR depend on how the Alteryx deployment is configured to interact with EMR. For more information, see Configure for EMR.
This page has no comments.