Configure AWS Per-User Authentication

...

Property Description

Code Block
"aws.readFromConfigurationService": false,

Set this value to false for

D s product

product	ee

, which prevents the product from retrieving AWS-related configuration information from the incorrect source.

Code Block
"aws.mode": "user",

Each user can specify credentials.

Code Block
"feature.showAWSTemporaryCredentialProviderOption": true,

If true, then an IAM role must be provided for each user:
Tip
Tip: This method is recommended.
- Individual users can provide an IAM role in the User Profile page.
- D s item
  item administrators
  can manage S3 access for individual users through the Admin Settings page. See Manage Users.
- See the following parameter.
If false, then users must provide less secure AWS key/secret combinations in their User Profile page.

Info
NOTE: If this parameter is false, do not complete any more configuration in this section. Individual users must provide key/secret combinations. See User Profile Page.

...

Property Description

Code Block
"aws.ec2InstanceRoleForAssumeRole": true,

If true, then all users use the EC2 instance role for authenticating to the AWS STS service for their temporary credentials.
Info
NOTE: You must ensure that the role provides adequate access to STS. Details are below.

Tip
Tip: This method is recommended.
If false, then a system-wide set of AWS key/secret credentials must be inserted into platform configuration in the Admin Settings page as the master set of credentials to access STS for temporary credentials:

Properties to set:
Code Block
"aws.s3.key" "aws.s3.secret"
Info
NOTE: After specifying the above key/secret combination, you can skip to the User Access section below.

Configure Per-User Authentication using IAM Role

...

Instance role: Create an IAM role and link it to the EC2 instance where the

D s node

is hosted. Include the following IAM policy:

Code Block
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam:::role/" } ] }

User role: Create another IAM role and provides required access to the S3 buckets. Example:

Code Block

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MyBucketAndObjectPermissions",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<my_s3_bucket>",
                "arn:aws:s3:::<my_s3_bucket>/*"
            ]
        },
        {
            "Sid": "TrifactaPublicDatasets",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::trifacta-public-datasets/*",
                "arn:aws:s3:::trifacta-public-datasets"
            ]
        }
    ]
}

where:
<my_s3_bucket> is the name of your bucket.

Under the user role definition, edit the Trust relationship. Add the instance role to Principal:

Code Block
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam:: {awsAccountId}:role/{instanceRole}" ] }, "Action": "sts:AssumeRole" } ] }

For more information, see Insert Trust Relationship in AWS IAM Role.
For more granular control over the Trust relationship, see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html.

Log in the
D s platform
as a
D s item
item admin
.
Click the link to specify storage settings. Populate the values for:
1. IAM role
2. Role ARN
3. S3 Bucket Name
Save your changes.

...

Page tree

Versions Compared

Old Version 8

New Version Current

Key

Configure Per-User Authentication using IAM Role