Prerequisites for Lake Formation Pull Mode¶

AWS Lake Formation connector with Privacera using the Pull mode requires the following prerequisites:

Mandatory Prerequisites¶

Prerequisites	Detail
IAM policies for managing Lake Formation Policies. Refer	This is used to update the policies in AWS Lake Formation.
IAM policies to read from Glue Data Catalog Refer	This is used the retrieve the list of databases and tables from AWS Glue Catalog.
IAM policies to retrieve IAM Roles Refer	This is used to retrieve the list of roles and users from AWS IAM. The permissions will be only managed for the users and roles in the IAM.
IAM role for the Privacera Connector Refer	IAM Role which consists of all the IAM policies that are required by this connector.
Trust Policy for Pod Level IAM Role Refer	Trust policy is required when we use Pod Level IAM Role.
Allow Privacera to manage the policies in your AWS Lake Formation	Allow the IAM role used by the Privacera Lake Formation connector to be the administrator Lake Formation policies Refer.
[Self Managed/Data Plane ] Kubernetes pod with access to the IAM Role	If the Lake Formation connector is deployed in your VPC, then the Kubernetes pod should have access to the IAM role to manage the policies in AWS Lake Formation.
[PrivaceraCloud ] Trust Policy for pod level IAM Role Refer	If the Lake Formation connector is deployed in PrivaceraCloud, then the IAM Role should have a trust policy to PrivaceraCloud to manage the policies in your AWS Lake Formation. This should be attached to the role from the PrivaceraCloud. check here.

Appendix¶

IAM Policies for managing Lake Formation¶

The following IAM policies are required to update the policies in AWS Lake Formation. You can name it privacera-lf-pull-policy.

privacera-lf-pull-policy

JSON
{
  "Sid": "LFReadPermissions",
  "Effect": "Allow",
  "Action": [
    "lakeformation:ListDataCellsFilter",
    "lakeformation:GetEffectivePermissionsForPath",
    "lakeformation:ListLFTags",
    "lakeformation:GetLFTag",
    "lakeformation:ListPermissions",
    "lakeformation:GetResourceLFTags",
    "lakeformation:DescribeResource",
    "lakeformation:ListResources",
    "lakeformation:GetTableObjects"
  ],
  "Resource": "*"
}

IAM policies to read from Glue Data Catalog¶

The following IAM policies are required to read from the Glue Data Catalog. You can name it privacera-lf-glue-read-policy. This connector doesn't require write access to the Glue Data Catalog.

privacera-lf-glue-read-policy

JSON
{
  "Sid": "GlueReadPermissions",
  "Effect": "Allow",
  "Action": [
    "glue:GetTables",
    "glue:GetTableVersions",
    "glue:GetDatabases",
    "glue:GetTable",
    "glue:GetDatabase",
    "glue:GetTableVersion",
    "glue:GetColumnStatisticsForTable"
  ],
  "Resource": "*"
}

IAM policies to retrieve IAM Roles¶

The following IAM policies are required to retrieve the IAM roles. You can name it privacera-lf-iam-read-policy. This connector doesn't require write access to the IAM roles and it will not create or modify any IAM roles.

privacera-lf-iam-read-policy

JSON
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListRoles",
      ],      
      "Resource": "*"
    }
  ]
}

The following IAM policies are required to share resources across AWS Accounts. You can name it privacera-lf-share-policy. If you are using the Data Mesh design pattern and/or sharing resources across AWS accounts, you need to add additional permissions so that Privacera can manage the policies in the shared resources in other accounts also.

privacera-lf-share-policy

JSON
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ram:CreateResourceShare",
        "ram:GetResourceShares",
        "ram:AssociateResourceShare",
        "ram:DisassociateResourceShare",
        "ram:DeleteResourceShare"
      ],
      "Resource": "*"
    }
  ]
}

IAM Role for the Privacera Connector¶

The following IAM role is required for the Privacera Connector. You can name it privacera-lf-pull-connector-role.

privacera-lf-pull-connector-role

Include the following policies in the IAM role:

privacera-lf-pull-policy
privacera-lf-glue-read-policy
privacera-lf-iam-read-policy
privacera-lf-share-policy [Optional]

Lake Formation Administrator Configuration¶

The IAM Role used by the Privacera Lake Formation connector should have the administrator privileges to manage the policies in AWS Lake Formation. Follow the steps below to configure the administrator role:

Log in to AWS Account and navigate to AWS Lake Formation > Administrative roles and tasks.
Click [Add] in the Data lake administrators section.
For Access Type [Data lake administrator] search for the role that was created for Privacera Lake Formation. E.g. privacera-lf-pull-connector-role and select it.
Click [Confirm].

Trust Policy for Pod Level IAM Role¶

Privacera requires using a Pod Level IAM Role for the Lake Formation Connector. The following trust policy must be applied to the Pod Level IAM Role.

Note

Make sure the following property is enabled and setting up the ARN in the Lake Formation Connector:

Properties
CONNECTOR_USE_POD_IAM_ROLE = true 
CONNECTOR_POD_IAM_ROLE_ARN = "<ROLE_ARN>"

Trust Policy for Pod IAM Role

JSON
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "<IAM_OIDC_Provider_ARN>"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "<OpenID_Connect_provider_URL>:sub": "system:serviceaccount:<Namespace-Name>:<ServiceAccount-Name>"
        }
      }
    }
  ]
}

Prev topic: Pull Mode Overview
Next topic: Setup