Skip to main content

Insert Trust Relationship in AWS IAM Role

If you are using per-user authentication through an AWS IAM role, you must insert a trust relationship into the role so that the Designer Cloud Powered by Trifacta platform can leverage it.

Prerequisites:

Note

These steps should be performed by an AWS administrator.

Please acquire the following information:

  • IAM role: The AWS IAM role that the Designer Cloud Powered by Trifacta platform should use.

  • EC2 instance role: If the EC2 instance role is to be used to assume the AWS role, then please acquire the following:

    • AWS account ID

    • EC2 instance role

    • Details on the above are listed below.

For more information on the AWS Principal options described below, please review https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html.

Steps:

  1. You can apply this change through the Admin Settings Page (recommended) or trifacta-conf.json. For more information, see Platform Configuration Methods.

  2. Locate the following parameter and retrieve its value (true or false):

    "aws.ec2InstanceRoleForAssumeRole"

  3. Login to the AWS console.

  4. Open the IAM role for use with the Designer Cloud Powered by Trifacta platform.

  5. If aws.ec2InstanceRoleForAssumeRole=true, then the EC2 instance role is used for assuming the provided AWS role. Paste the following into the IAM role for the trust relationship:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
           "arn:aws:iam::<awsAccountId>:role/<ec2InstanceRole>"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

    Property

    Description

    <awsAccountId>

    AWS account identifier for which the EC2 instance role is assumed

    <ec2InstanceRole>

    EC2 instance role to use

  6. If aws.ec2InstanceRoleForAssumeRole=false, then the AWS user associated with the provided AWS key and secret is assumed. Paste the following into the IAM role for the trust relationship:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::862753480162:user/sample-user"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

  7. Save the IAM role definition.

In this section: