Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DEV and version r0711

...

PropertyDescription
Code Block
"aws.readFromConfigurationService": false,

Set this value to false for

D s product
productee
, which prevents the product from retrieving AWS-related configuration information from the incorrect source.

Code Block
"aws.mode": "user",

Each user can specify credentials.

 

To authenticate to AWS services from the 

D s platform
 using an IAM role:

PropertyDescription
Code Block
"aws.ec2InstanceRoleForAssumeRole": true,

 

  • If true, then all users use the EC2 instance role for authenticating to the AWS STS service for their temporary credentials.

    Info

    NOTE: You must ensure that the role provides adequate access to STS. Details are below.

    Tip

    Tip: This method is recommended.

  • If false, then a system-wide set of AWS key/secret credentials must be inserted into platform configuration in the Admin Settings page as the master set of credentials to access STS for temporary credentials:

    Properties to set:

    Code Block
    "aws.s3.key"
    "aws.s3.secret"
    Info

    NOTE: After specifying the above key/secret combination, you can skip to the User Access section below.

     

     

Configure Per-User Authentication using IAM Role

...

  1. Instance role: Create an IAM role and link it to the EC2 instance where the

    D s node
     is hosted. Include the following IAM policy: 

    Code Block
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": "sts:AssumeRole",
                "Resource": "arn:aws:iam::*:role/*"
            }
        ]
    } 
  2. User role: Create another IAM role and provides required access to the S3 buckets. Example:

    Code Block
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "MyBucketAndObjectPermissions",
                "Action": [
                    "s3:GetBucketLocation",
                    "s3:ListBucket",
                    "s3:DeleteObject",
                    "s3:GetObject",
                    "s3:PutObject"
                ],
                "Effect": "Allow",
                "Resource": [
                    "arn:aws:s3:::<my_s3_bucket>",
                    "arn:aws:s3:::<my_s3_bucket>/*"
                ]
            },
            {
                "Sid": "TrifactaPublicDatasets",
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject",
                    "s3:ListBucket"
                ],
                "Resource": [
                    "arn:aws:s3:::trifacta-public-datasets/*",
                    "arn:aws:s3:::trifacta-public-datasets"
                ]
            }
        ]
    }

    where:
    <my_s3_bucket> is the name of your bucket.

  3. Under the user role definition, edit the Trust relationship. Add the instance role to Principal:

    Code Block
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": [
            "arn:aws:iam::       {awsAccountId}:role/{instanceRole"
            ]}"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }

     

    1. For more information, see Insert Trust Relationship in AWS IAM Role.

    2. For more granular control over the Trust relationship, see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html.
  4. AWS Glue: If you are integrating with AWS Glue, additional permissions must be set. For more information, see Enable AWS Glue Access.

  5. Log in the 

    D s platform
     as a 
    D s item
    itemadmin
    .

  6. Click the link to specify storage settings. Populate the values for:
    1. IAM role
    2. Role ARN
    3. S3 Bucket Name
  7. Save your changes.

...