Skip to content

Enable Regional STS Endpoints for EMR

By default, AWS STS requests are routed to the global endpoint. Enabling regional STS endpoints ensures that API calls are directed to the respective AWS region, reducing latency and improving performance. This configuration allows only specific users (e.g., hadoop, hive, trino) to access the regional STS endpoints.

Enable Regional STS Endpoints for Specific Users

To enable regional STS endpoints for specific users, follow these steps:

  1. SSH into the instance where Privacera Manager is installed.
  2. Run the following command to edit the vars.emr.yml file:
    Bash
    1
2
    cd ~/privacera/privacera-manager
vi config/custom-vars/vars.emr.yml

  3. Modify the following properties:

    Feature Description Default Value Possible Values
    EMR_BLOCK_STS_ENDPOINTS Enables or disables the use of AWS STS regional endpoints for specified users. false true/false
    EMR_STS_STATE Users allowed to use regional STS endpoints (space-separated list). hive presto trino Space-separated list of users

  4. Once the properties are configured, update your Privacera Manager platform instance by following the commands

    Bash
    1
2
    cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

Enable Regional STS Endpoints for Users on Running EMR Clusters

To enable regional STS endpoints for specific users on running EMR clusters, follow these steps:

  1. SSH into the EMR master and core nodes.
  2. Run the following command to navigate to the below directory:
    Bash
    1
    cd /opt/privacera/downloads/scripts
  3. To enable regional STS endpoints for specific users, run the following command:
    Bash
    1
    sudo sh setup_privacera_regional_sts.sh <region> "<user1 user2 user3>"
    • Replace <region> with the AWS region where the EMR cluster is running
    • Replace <user1 user2 user3> with a space-separated list of users allowed to access regional STS endpoints.

Comments