Configure for AWS Authentication

This section provides high-level information on the different configuration methods by which Designer Cloud Powered by Trifacta Enterprise Edition authenticates to AWS resources. From here, you can jump to:

Configuration Tasks: Step-by-step tasks for configuring the product for a specific AWS authentication method.
AWS Authentication Topics: Detailed documentation on various authentication methods.

Overview

Designer Cloud Powered by Trifacta Enterprise Edition provides the following methods of authenticating to AWS.

AWS authentication mode

When connecting to AWS, Designer Cloud Powered by Trifacta Enterprise Edition supports the following basic authentication modes.

AWS Mode	Description
System	All users of the workspace use the same set of credentials to authenticate to AWS. Access to AWS resources is managed through a single, system account. The type of account that you specify is based on the credential provider selected below.
User	Each user of the workspace uses a personal set of credentials to authenticate. Authentication must be specified for individual users. Tip Although the steps are more involved to set up and manage per-user authentication, this method provides superior security, data governance, and overall management.

AWS credential provider type

For each access mode, Designer Cloud Powered by Trifacta Enterprise Edition supports the following types of credential providers:

Credential Provider Type	Description
default	Credentials are provided in the form of AWS key/secret combinations.
instance	Credentials are provided in the form of roles associated with the EC2 instance for the product.
temporary	Credentials are provided in the form of IAM roles. Tip This method is recommended.

EMR authentication mode

Similar to general AWS access, Designer Cloud Powered by Trifacta Enterprise Edition supports the following modes for providing credentials for EMR for running jobs.

EMR system mode: All workspace users use the same AWS key/secret combination to access EMR.
EMR user mode: Each workspace user submits a personal set of credentials to access EMR.

The following table illustrates how AWS mode and EMR mode work together:

AWS mode	System	User
EMR mode
System	AWS and EMR use a single key-secret combination.	AWS access uses a single key-secret combination. EMR access is governed by per-user credentials. Per-user credentials can be provided from one of several different providers.
User	Not supported.	AWS and EMR use the same per-user credentials for access. Per-user credentials can be provided from one of several different providers.

SSO support

Designer Cloud Powered by Trifacta Enterprise Edition supports integration with a SAML SSO credential provider for AWS resources. Additional details are provided below.

Basic Configuration

Before you configure

Tip

If you prefer, you can review the available authentication tasks to see if one matches your environment.

Before you configure the product, please verify the following:

You have chosen the AWS mode to use.
You have chosen the credential provider type to use.
You have defined and enabled the credentials required to support the above configuration choices.

Configure AWS mode and credential provider

The following table breaks down the configuration of credentials based on the credential type and the AWS mode based on the setting of two key parameters. These two basic parameters can be configured at the same time.

credential provider - source of credentials: platform (default), instance (EC2 instance only), or temporary
AWS mode - the method of authentication from platform to AWS: system-wide or by-user
Note
If you are using AWS user mode or SSO, additional configuration is required.

To configure:

Login to the Trifacta Application as an administrator.
You can apply this change through the Admin Settings Page (recommended) or trifacta-conf.json. For more information, see Platform Configuration Methods.
Apply the following configuration to the platform.

AWS Mode	System	User
Credential Provider
Default	One system-wide key/secret combo is inserted in the platform for use	Each user provides key/secret combo.
	Config: "aws.credentialProvider": "default", "aws.mode": "system", "aws.s3.key": <key>, "aws.s3.secret": <secret>,	Config: "aws.credentialProvider": "default", "aws.mode": "user", User: Configure Your Access to S3
Instance	Platform uses roles from the EC2 instance where the platform is running.	Not supported.
	Config: "aws.credentialProvider": "instance", "aws.mode": "system",	Config: n/a
Temporary	Temporary credentials are issued based on system IAM roles.	Per-user authentication when using IAM role.
	Config: "aws.credentialProvider": "temporary", "aws.mode": "system", "aws.systemIAMRole": "<IAMRole">,	Config: "aws.credentialProvider": "temporary", "aws.mode": "user",

Default credential provider

Whether the AWS access mode is set to system or user, the default credential provider for AWS and S3 resources is the Designer Cloud Powered by Trifacta platform.

Mode	Description	Configuration
"aws.mode": "system",	A single AWS Key and Secret is inserted into platform configuration. This account is used to access all resources and must have the appropriate permissions to do so.	"aws.s3.key": "<your_key_value>", "aws.s3.secret": "<your_key_value>",
"aws.mode": "user",	Each user must specify an AWS Key and Secret into the account to access resources.	For more information on configuring individual user accounts, see Configure Your Access to S3.

Default credential provider with EMR:

If you are using this method and integrating with an EMR cluster:

Copying the custom credential JAR file must be added as a bootstrap action to the EMR cluster definition. See Configure for EMR.
As an alternative to copying the JAR file, you can use the EMR EC2 instance-based roles to govern access. In this case, you must set the following parameter:
```
"aws.emr.forceInstanceRole": true,
```
For more information, see Configure for EC2 Role-Based Authentication.

Instance credential provider

When the platform is running on an EC2 instance, you can manage permissions through pre-defined IAM roles.

Note

AWS mode must be set to system.

Note

If the Designer Cloud Powered by Trifacta platform is connected to an EMR cluster, you can force authentication to the EMR cluster to use the specified IAM instance role. See Configure for EMR.

For more information, see Configure for EC2 Role-Based Authentication.

Temporary credential provider

For even better security, you can enable use temporary credentials provided from your AWS resources based on an IAM role specified per user.

Tip

This method is recommended by AWS.

Set the following properties.

Property	Description
"aws.credentialProvider"	If `aws.mode` = `system`, set this value to `temporary`. If `aws.mode` = `user` and you are using per-user authentication, then this setting is ignored and should stay as `default`.

Per-user authentication

Individual users can be configured to provide temporary credentials for access to AWS resources, which is a more secure authentication solution.

Optionally, you can leverage your existing S3 permission scheme by modifying the IAM role or roles used to access S3.
For more information, see Configure AWS Per-User Auth for Temporary Credentials.

Configure authentication for EMR

For more information, see Configure for EMR.

AWS Authentication Topics

In this section: