Outdated release! Latest docs are Release 8.7: Configure AWS Per-User Auth for Temporary Credentials
For Trifacta® Self-Managed Enterprise Edition, you can configure AWS authentication on a per-user basis, using temporary credentials for superior security.
Before You Begin
You must configure your AWS mode of access:
user. For more information, see Configure for AWS.
To enable per-user authentication using temporary credentials, the following parameters must be set:
Set this value to
Each user can specify credentials.
To authenticate to AWS services from the Trifacta platform using an IAM role:
Configure Per-User Authentication using IAM Role
Please complete the following general steps.
Instance role: Create an IAM role and link it to the EC2 instance where the Trifacta node is hosted.
Include the following IAM policy:
- For more information, see https://aws.amazon.com/premiumsupport/knowledge-center/assign-iam-role-ec2-instance/.
User role: Create another IAM role and provides required access to the S3 buckets. Example:
<my_s3_bucket>is the name of your bucket.
Under the user role definition, edit the Trust relationship. Add the instance role to Principal:
For more information, see Insert Trust Relationship in AWS IAM Role.
- For more granular control over the Trust relationship, see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html.
AWS Glue: If you are integrating with AWS Glue, additional permissions must be set. For more information, see Enable AWS Glue Access.
Log in the Trifacta platform as a Trifacta admin.
- Click the link to specify storage settings. Populate the values for:
- IAM role
- Role ARN
- S3 Bucket Name
Save your changes.
Enable Attribute-Based Access to S3
When IAM roles are used for per-user authentication, Trifacta Self-Managed Enterprise Edition can be configured to pass an additional attribute as part of any request for S3 resources through AWS Secure Token Service. This attribute, called a session tag, contains the Trifacta user identifier, which is the username part of the user's email address. This userId is used as the key within S3 to identify the permissions available to the user on S3. In this manner, you can leverage your existing enterprise S3 permissioning for more precise access, without having to replicate the permissioning in Trifacta Self-Managed Enterprise Edition.
For more information on session tags, see https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html.
- S3 must be set as the base storage layer. For more information, see Set Base Storage Layer.
- Trifacta Self-Managed Enterprise Edition must be configured to use IAM roles through the temporary credential provider mechanism for per-user authentication to AWS. See above.
- A userId must be matched to the identifier that is used within the enterprise infrastructure to define S3 access.
- If you are running jobs on EMR, EMR 5.29.0 and later is supported.
NOTE: After enabling the use of session tags, you must spin up a new EMR cluster, which forces EMR to use the newly deployed credential provider JAR file.
Specify general Hadoop bundle JAR file
This feature requires that you deploy the generic Hadoop bundle JAR file for use when running Spark jobs. Version-specific bundle JARs, which are used by default, do not have the latest AWS SDK binaries, which are required for this feature. There are no functional issues with using the generic bundle JAR, which includes these binaries.
Please complete the following steps.
- You can apply this change through the Admin Settings Page (recommended) or
trifacta-conf.json. For more information, see Platform Configuration Methods.
Locate the following parameter and set it to the value listed below:
- Save your changes and restart the platform.
Modify IAM policy
The IAM policy used for S3 access must be modified to include the request permissions. When using session tags, any trust policies must have the
sts:TagSession permission. Below, the previous policy has been modified to include the required elements:
sts:TagSession permission must be added to all IAM roles that are used to connect to S3 or S3-related resources.
When the above change has been applied, you can enable the feature.
- You apply this change through the Workspace Settings Page. For more information, see Platform Configuration Methods.
Locate the following setting, and set it to
In the following setting, specify the value that the Trifacta application should insert for the tag when requesting AWS resources:
- A restart is not required.
NOTE: Users should log out and login again to experience the changes in permissions due to the session tags.
After per-user authentication has been enabled, each user must provide or be provided the credentials and S3 bucket to use. Users can insert a default S3 bucket and credentials to use in their profiles. See Configure Your Access to S3.
This page has no comments.