Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

D toc

Overview


The 

D s platform
rtrue
 supports

...

multiple methods of authenticating to AWS resources. At the topmost level, authentication can be broken down into two modes: system and user.

  • System mode: One set of credentials is used for each user of the platform to authenticate to AWS.
  • User mode: Individual user accounts must be configured with AWS credentials.

    Info

    NOTE: This section covers how to manage AWS credentials through the APIs for individual users (user mode). When in system mode, please manage AWS configuration through the application.

...


Per-User Authentication Methods


To connect to AWS resources and access S3 data, the following information is required for each user, depending on the method of

...

authentication.

Method 1 - AWS Key and Secret

If users are providing key-secret combinations, the following information is required. 

ItemDescription
key/secret(credential provider type is default) The AWS key and secret for the user to authenticate
default bucketThe default S3 bucket where the user can upload data and store generated results
extra bucketsAny extra S3 buckets to which the user should have access


Method 2 - AWS IAM Role

...

ARNs

Users can access AWS resources

...

At the API level, these roles can be associated with an AWSConfig object, which is then associated with users. Details are provided later. 

...

by assigning an awsConfig object to the account.

Tip

Tip: This method is recommended.

The following information is required:

ItemDescription

...

IAM role

(credential provider type is temporary) The

...

IAM role to use to authenticate.

Info

NOTE: If this information is not immediately available, a placeholder one is created when you create the configuration object. You can assign roles later. More information is provided below.


default bucketThe default S3 bucket where the user can upload data and store generated results
extra bucketsAny extra S3 buckets to which the user should have access

...

Authentication objects

For each authentication method, the above pieces of information must be provided for each user.

...

D s platform

...

These pieces of information are defined in an awsConfig object. An awsConfig object is a set of AWS configuration properties that can be created, modified, and assigned to individual users via API

...

Basic Workflow

  1. Acquire information.
  2. Locate the internal identifier for the user to which to assign the configuration object.
  3. Create an awsConfig object, assigning the object to the user as part of the process.
    1. If you are using IAM roles, you can create one or more awsRole objects to map to corresponding awsConfig objects.
  4. Modify the object as needed.

  5. Verify that the assignment is working.

Step - Acquire information

Acquire all of the information listed above for the awsConfig object you wish to create. In this example, the credential provider type is set to temporary, which means that authentication is determined by an IAM role.

Step - Locate user

Now, you need to locate the internal identifier for the user to which you wish to assign this AWS configuration.

Request:

...

None.

 

Response:

...

.

For Method 2, the awsConfig object maps to an awsRole object. An awsRole object references an IAM role and an awsConfig object. When you create an awsConfig object and its credential provider is set to temporary, the awsRole object is automatically created for you: 

    • Each awsRole object maps to a single IAM role.
    • Each awsRole object is mapped to an awsConfig object. 
    • The awsConfig object is then assigned to individual users. 
    • Through this mechanism, you have more flexibility in assigning the active role to users.
    • As needed, the awsConfig object can be mapped at a later time to another awsRole object through the role attribute. 

This workflow steps through the process for all these methods.

Basic Workflow

  1. Choose your method of authentication.
  2. Locate the internal identifier for the user to which to assign the configuration object.
  3. Create an awsConfig object, assigning the object to the user as part of the process.
  4. Verify that the assignment is working.

Step - Acquire information

Acquire all of the information listed above for the awsConfig object you wish to create.

Step - Locate user

Now, you need to locate the internal identifier for the user to which you wish to assign this AWS configuration.

Request:

Endpointhttp://www.wrangle-dev.example.com:3005/v4/people
AuthenticationRequired
MethodGET
Request Body

None.

 

Response:

Status Code200 - Ok
Response Body


Code Block
{
    "data": [
        {
            "id": 3,
            "email": "4070250@example.com",
            "name": "Test User4070250",
            "ssoPrincipal": null,
            "hadoopPrincipal": null,
            "isAdmin": false,
            "isDisabled": false,
            "forcePasswordChange": false,
            "state": "active",
            "lastStateChange": null,
            "createdAt": "2019-04-16T16:27:51.143Z",
            "updatedAt": "2019-04-16T16:27:56.630Z",
            "outputHomeDir": "/trifacta/queryResults/4070250@example.com",
            "fileUploadPath": "/trifacta/uploads",
            "awsConfig": {
                "id": 2
            }
        },
        {
            "id": 2,
            "email": "32870@example.com",
            "name": "Test User32870",
            "ssoPrincipal": null,
            "hadoopPrincipal": null,
            "isAdmin": false,
            "isDisabled": false,
            "forcePasswordChange": false,
            "state": "active",
            "lastStateChange": null,
            "createdAt": "2019-04-16T16:27:19.511Z",
            "updatedAt": "2019-04-16T16:27:26.703Z",
            "outputHomeDir": "/trifacta/queryResults/32870@example.com",
            "fileUploadPath": "/trifacta/uploads",
            "awsConfig": {
                "id": 1
            }
        },
        {
            "id": 1,
            "email": "<admin_email>",
            "name": "Administrator",
            "ssoPrincipal": null,
            "hadoopPrincipal": null,
            "isAdmin": true,
            "isDisabled": false,
            "forcePasswordChange": false,
            "state": "active",
            "lastStateChange": null,
            "createdAt": "2019-04-16T07:44:04.299Z",
            "updatedAt": "2019-04-16T16:28:16.379Z",
            "outputHomeDir": "/trifacta/queryResults/admin@example.com",
            "fileUploadPath": "/trifacta/uploads",
            "awsConfig": {
                "id": 3
            }
        }
    ]
}

 

 

...

For more information, see API AWSConfigs Put People Get v4.

Step - Create awsConfig object

...

Info

NOTE: Optionally, the personId value can be inserted into the request to assign the AWS configuration object to a specific user at create time, when it is created by an admin user. If it is created by a non-admin user, the object is assigned to the user who created it, and the personId value is ignored.

...

assigned to the user who created it.


Info

NOTE: For Method 2, an awsRole object is automatically created for you when you create the awsConfig object. It is mapped to the awsConfig object.

Request:

Endpointhttp://www.wrangle-dev.example.com:3005/v4/awsConfigs
AuthenticationRequired
MethodPOST
Request Body

Method 1: AWS key-secret combination

Code Block
{
    "credentialProvider": "default",
    "personId": 2,
    "key": "<my_key>",
    "secret": "<my_secret>",
    "defaultBucket": "main_bucket",
    "extraBuckets":["extra-bucket1","extra-bucket2"]
}

Method 2: IAM role

Code Block
{
    "credentialProvider": "temporary",
    "personId": 2,
    "role":"<my_iam_role_object>",
    "defaultBucket":"main_bucket",
    "extraBuckets":["extra-bucket1","extra-bucket2"]
}


Response for Method 2:

Status Code201 - Created
Response Body

Method 2 example:

Code Block
{
    "extraBuckets": [
        "extra-bucket1",
        "extra-bucket2"
    ],
    "id": 6,
    "defaultBucket": "main_bucket",
    "credentialProvider": "temporary",
    "externalId": null,
    "activeRoleId":"4",
    
"<my_role_object>
"updatedAt": "2019-04-16T23:06:32.049Z",
    "
updatedAt
createdAt": "2019-04-16T23:06:32.
049Z
047Z",
    "
createdAt
credential":
"2019-04-16T23:06:32.047Z", "credential": null }
Tip

Checkpoint: In the above, the awsConfig object has an internal identifier (id=6). As part of the request, this object was assigned to user 2 personId=2. For more information, see API AWSConfigs Create v4.

Step - (optional) Assign awsRole object to awsConfig object

If your credential provider is set to temporary, you can create one or more awsRole objects. An awsRole object assigns an IAM role ARN to an awsConfig object. 

...

 null
}



Tip

Checkpoint: In the above, the awsConfig object has an internal identifier (id=6).

As part of the request, this object was assigned to user 2 personId=2.

The activeRoleId attribute indicates that the internal ID of the awsRole object that was automatically created for you.

For more information, see API AWSConfigs Create v4.

Step - Verify Authentication

To verify that the above configuration works:

  1. User id=2 should login to the application.
  2. User uploads assets through the Import Data page.
  3. User creates a short recipe that modifies these assets.
  4. User runs a job on that recipe to generate output to the default S3 bucket in CSV or JSON for downloading.
  5. User verifies that the results can be downloaded.
Tip

Checkpoint: Configuration and verification is complete.

Step - For Method 2, assign new IAM role to awsConfig object

If you need to change the IAM role ARN for a user, you can modify the awsConfig object for that user with the new role information. 

Info

NOTE: This section only applies of if credentialProvider has been set to temporary for the object.

Tip

Tip: In the preceding step, when you created the awsConfig object and inserts an IAM role ARN for the activeRoleId value, an awsRole object was created for you, mapping the IAM role ARN to the awsConfig object. This step is only needed if you wish to add additional IAM role ARNs to the configuration object.

The following request creates the awsRole object and maps it to awsConfig id=6.

...

set to temporary for the object and if you are using multiple IAM role ARNs in the

D s platform
.

The following request modifies the awsConfig id=6.

Request:

Endpointhttp://www.wrangle-dev.example.com:3005/v4/awsConfigs/6
AuthenticationRequired
MethodPUT
Request Body


Code Block
{
    "role":"<my_iam_role_object_3>"
}


Response:

Status Code200 - OK
Response Body


Code Block
{
    "extraBuckets": [
        "extra-bucket1",
        "extra-bucket2"
    ],
    "id": 6,
  },   "roledefaultBucket": "<my_iam_role_arn_2>"
}

Response:

Status Code201 - Created
Response Body
Code Block
{main_bucket",
    "createdFromcredentialProvider": "apitemporary",
    "idexternalId": 3null,
    "activeRoleId":"<awsRoleId>",
    "roleupdatedAt": "<my_iam_role_arn_2>2019-04-16T23:06:32.049Z",
    "awsConfigId": 6"createdAt": "2019-04-16T23:06:32.047Z",
    "updatedAtcredential": "2019-04-16T23:06:33.008Z",
    "createdAt": "2019-04-16T23:06:33.004Z",
    "deleted_at": null
}

Tip

Checkpoint: In the above step, you assigned an additional awsRole to the awsConfig object. For more information, see API AWSRoles Create v4.

Step - Modify awsConfig object

Suppose you realize that there is missing extra bucket (extra-bucket3) and that the role you specified is incorrect. You can use the following method to modify the created configuration object.

...

 null
}



Tip

Checkpoint: In the above step, you assigned a new IAM role to the awsConfig object. The underlying awsRole object is created for you and automatically assigned. For more information, see API AWSRoles Create v4.


Info

NOTE: After you have completed the above update, the previous awsRole object still exists. If the IAM role associated with it is no longer in use, you should delete the awsRole object. See API AWSRoles Delete v4.

Step - Switching Authentication Methods

Suppose you have created your awsConfig objects to use the AWS Key-Secret method of authenticating. You have now created a set of IAM roles that you would like to assign to your 

D s item
itemusers
.

The generalized workflow for completing this task is the following:

  1. Acquire the identifiers for all of the awsConfigs you wish to modified. For each awsConfig, retain the personId, so that you can map your configuration changes to individuals. See API AWSConfigs Get v4.
    1. For more information on getting your list of users, see API People Get v4.
  2. For each user account (personId), you must identify the IAM role that you wish to assign it.

  3. Use the following modification to the awsConfig object to switch to using the IAM role for the user:

Request:

Endpointhttp://www.wrangle-dev.example.com:3005/v4/awsConfigs/
6
AuthenticationRequired
MethodPUT
Request Body


Code Block
{
    "
activeRoleId
credentialProvider": "
<my_iam_role2>", "extraBuckets":["extra-bucket1","extra-bucket2", "extra-bucket3"]
temporary",
    "role":"<my_iam_role_object>"
}


Response for Method 2:

...

Status Code200 - Ok
Response Body

Method 2 example:

Code Block
{
    "extraBuckets": [
        "extra-bucket1",
        "extra-bucket2"
,

    
"extra-bucket3"
],
    "id": 
6
<awsConfigId>,
    "defaultBucket": "main_bucket",
    "credentialProvider": "temporary",
    "externalId": null,
    "activeRoleId":
"
<my_iam_role2>
<awsRoleId>",
    "updatedAt": "2019-04-16T23:06:32.049Z",
    "createdAt": "2019-04-16T23:06:32.047Z",
    "credential": null
}

Step - Verify Authentication

To verify that the above configuration works:

  1. User id=2 should login to the application.
  2. User uploads assets through the Import Data page.
  3. User creates a short recipe that modifies these assets.
  4. User runs a job on that recipe to generate output to the default S3 bucket in CSV or JSON for downloading.
  5. User verifies that the results can be downloaded.
}


Notes:

ItemDescription
credentialProviderTo use IAM roles, this attribute must be updated to be temporary.
role

The IAM role to assign to the configuration.


personIdIf needed, you can change the person (user) to which this awsConfig is applied. Note that the former user of the configuration cannot access AWS resources until you create a new configuration object for the user's account.
activeRoleId

(response) Internal identifier of the awsRole object that was created for you and assigned to this awsConfig object.



Info

NOTE: The above request must be applied to each awsConfig object that you wish to remap to using an IAM role.