Page tree

Release 8.7.1


Our documentation site is moving!

For up-to-date documentation of release 8.7 of Self Managed Designer Cloud, please visit us at



This section provides high-level information on the different configuration methods by which  Designer Cloud Enterprise Edition authenticates to AWS resources. From here, you can jump to:

  • Configuration Workflows: Step-by-step workflows for configuring the product for a specific AWS authentication method.
  • AWS Authentication Topics: Detailed documentation on various authentication methods. 


Designer Cloud Enterprise Edition provides the following methods of authenticating to AWS.

AWS authentication mode

When connecting to AWS,  Designer Cloud Enterprise Edition supports the following basic authentication modes.

AWS ModeDescription
SystemAll users of the workspace use the same set of credentials to authenticate to AWS. Access to AWS resources is managed through a single, system account. The type of account that you specify is based on the credential provider selected below.

Each user of the workspace uses a personal set of credentials to authenticate. Authentication must be specified for individual users.

Tip: Although the steps are more involved to set up and manage per-user authentication, this method provides superior security, data governance, and overall management.

AWS credential provider type

For each access mode,  Designer Cloud Enterprise Edition supports the following types of credential providers:

Credential Provider TypeDescription
defaultCredentials are provided in the form of AWS key/secret combinations.
instanceCredentials are provided in the form of roles associated with the EC2 instance for the product.

Credentials are provided in the form of IAM roles.

Tip: This method is recommended.

EMR authentication mode

Similar to general AWS access,  Designer Cloud Enterprise Edition supports the following modes for providing credentials for EMR for running jobs. 

  • EMR system mode: All workspace users use the same AWS key/secret combination to access EMR.
  • EMR user mode: Each workspace user submits a personal set of credentials to access EMR.

The following table illustrates how AWS mode and EMR mode work together:

AWS modeSystemUser
EMR mode

SystemAWS and EMR use a single key-secret combination.
  • AWS access uses a single key-secret combination.
  • EMR access is governed by per-user credentials. Per-user credentials can be provided from one of several different providers.
UserNot supported.

AWS and EMR use the same per-user credentials for access. Per-user credentials can be provided from one of several different providers.

SSO support

Designer Cloud Enterprise Edition supports integration with a SAML SSO credential provider for AWS resources. Additional details are provided below.

Basic Configuration

Before you configure

Tip: If you prefer, you can review the available authentication workflows to see if one matches your environment.

Before you configure the product, please verify the following:

  1. You have chosen the AWS mode to use.
  2. You have chosen the credential provider type to use. 
  3. You have defined and enabled the credentials required to support the above configuration choices.

Configure AWS mode and credential provider

The following table breaks down the configuration of credentials based on the credential type and the AWS mode based on the setting of two key parameters. These two basic parameters can be configured at the same time.

  • credential provider - source of credentials: platform (default), instance (EC2 instance only), or temporary
  • AWS mode - the method of authentication from platform to AWS: system-wide or by-user

    NOTE: If you are using AWS user mode or SSO, additional configuration is required.

To configure:

  1. Login to the Designer Cloud application as an administrator.
  2. You can apply this change through the Admin Settings Page (recommended) or trifacta-conf.json. For more information, see Platform Configuration Methods.
  3. Apply the following configuration to the platform.

AWS Mode

Credential Provider


Default One system-wide key/secret combo is inserted in the platform for useEach user provides key/secret combo. 


"aws.credentialProvider": "default",
"aws.mode": "system",
"aws.s3.key": <key>,
"aws.s3.secret": <secret>, 


"aws.credentialProvider": "default",
"aws.mode": "user", 

User: Configure Your Access to S3

Instance Platform uses roles from the EC2 instance where the platform is running.Not supported. 


"aws.credentialProvider": "instance",
"aws.mode": "system",




Temporary credentials are issued based on system IAM roles.

Per-user authentication when using IAM role.


"aws.credentialProvider": "temporary",
"aws.mode": "system",
"aws.systemIAMRole": "<IAMRole">,


"aws.credentialProvider": "temporary",
"aws.mode": "user",

Default credential provider

Whether the AWS access mode is set to system or user, the default credential provider for AWS and S3 resources is the Designer Cloud Powered by Trifacta platform

"aws.mode": "system",

A single AWS Key and Secret is inserted into platform configuration. This account is used to access all resources and must have the appropriate permissions to do so.


"aws.s3.key": "<your_key_value>",
"aws.s3.secret": "<your_key_value>",
"aws.mode": "user",
Each user must specify an AWS Key and Secret into the account to access resources.For more information on configuring individual user accounts, see Configure Your Access to S3.

Default credential provider with EMR:

If you are using this method and integrating with an EMR cluster: 

  • Copying the custom credential JAR file must be added as a bootstrap action to the EMR cluster definition. See Configure for EMR.
  • As an alternative to copying the JAR file, you can use the EMR EC2 instance-based roles to govern access. In this case, you must set the following parameter:

    "aws.emr.forceInstanceRole": true,

     For more information, see Configure for EC2 Role-Based Authentication.

Instance credential provider

When the platform is running on an EC2 instance, you can manage permissions through pre-defined IAM roles. 

NOTE: AWS mode must be set to system.

NOTE: If the Designer Cloud Powered by Trifacta platform is connected to an EMR cluster, you can force authentication to the EMR cluster to use the specified IAM instance role. See Configure for EMR.

For more information, see  Configure for EC2 Role-Based Authentication.

Temporary credential provider

For even better security, you can enable use temporary credentials provided from your AWS resources based on an IAM role specified per user.  

Tip: This method is recommended by AWS.

Set the following properties.

  • If aws.mode = system, set this value to temporary.
  • If aws.mode = user and you are using per-user authentication, then this setting is ignored and should stay as default.

Per-user authentication

Individual users can be configured to provide temporary credentials for access to AWS resources, which is a more secure authentication solution.

Configure authentication for EMR

For more information, see Configure for EMR.

AWS Authentication Topics

This page has no comments.