For , you can configure AWS authentication on a per-user basis, using temporary credentials for superior security. 

Enable

The following parameters must be set:

PropertyDescription


"aws.readFromConfigurationService": false,


Set this value to false for , which prevents the product from retrieving AWS-related configuration information from the incorrect source.


"aws.mode": "user",


Each user can specify credentials.


To authenticate to AWS services from the  using an IAM role:

PropertyDescription


"aws.ec2InstanceRoleForAssumeRole": true,



  • If true, then all users use the EC2 instance role for authenticating to the AWS STS service for their temporary credentials.

    NOTE: You must ensure that the role provides adequate access to STS. Details are below.


    Tip: This method is recommended.


  • If false, then a system-wide set of AWS key/secret credentials must be inserted into platform configuration in the Admin Settings page as the master set of credentials to access STS for temporary credentials:

    Properties to set:

    "aws.s3.key"
"aws.s3.secret"


    NOTE: After specifying the above key/secret combination, you can skip to the User Access section below.



Configure Per-User Authentication using IAM Role

Please complete the following general steps.

Steps:

  1. Instance role: Create an IAM role and link it to the EC2 instance where the  is hosted. Include the following IAM policy: 

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::*:role/*"
        }
    ]
}


  2. User role: Create another IAM role and provides required access to the S3 buckets. Example:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MyBucketAndObjectPermissions",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<my_s3_bucket>",
                "arn:aws:s3:::<my_s3_bucket>/*"
            ]
        },
        {
            "Sid": "TrifactaPublicDatasets",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::trifacta-public-datasets/*",
                "arn:aws:s3:::trifacta-public-datasets"
            ]
        }
    ]
}

    where:
    <my_s3_bucket> is the name of your bucket.

  3. Under the user role definition, edit the Trust relationship. Add the instance role to Principal:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
        "arn:aws:iam::       awsAccountId:role/instanceRole"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}


    1. For more information, see Insert Trust Relationship in AWS IAM Role.

    2. For more granular control over the Trust relationship, see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html.

  4. AWS Glue: If you are integrating with AWS Glue, additional permissions must be set. For more information, see Enable AWS Glue Access.

  5. Log in the  as a .

  6. Click the link to specify storage settings. Populate the values for:
    1. IAM role
    2. Role ARN
    3. S3 Bucket Name

  7. Save your changes.

User Access

After per-user authentication has been enabled, each user must provide or be provided the credentials and S3 bucket to use. Users can insert a default S3 bucket and credentials to use in their profiles. See Configure Your Access to S3.