Skip to content

Setup for Lake Formation Pull Mode - Access Management

This section outlines the steps to set up AWS Lake Formation connector in pull mode. Ensure that all prerequisites are met before proceeding.

Create Instance of Lake Formation Pull Mode Connector

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command to navigate to the /config directory.

    Bash
    1
    cd ~/privacera/privacera-manager/config

  3. Create a new directory for the AWS Lake Formation Pull Mode connector configuration.

    Note

    In the example below, instance1 is the name of the connector instance. You can change this name to uniquely identify your installed connector configuration. The connector instance name should consist of only hyphens and alphanumeric characters.

    Bash
    1
    mkdir -p custom-vars/connectors/lakeformation/instance1

  4. Copy the sample connector configuration file to your custom directory:

    Bash
    1
    cp -n sample-vars/vars.connector.lakeformation.pull.yml custom-vars/connectors/lakeformation/instance1/

  5. Run the following command to open the .yml file to be edited:

    Bash
    1
    vi custom-vars/connectors/lakeformation/instance1/vars.connector.lakeformation.pull.yml

  1. In PrivaceraCloud, navigate to Settings -> Applications.

  2. On the Applications screen, select Lakeformation Pull Mode.

  3. Enter the application Name and Description. Click Save. Name could be any name of your choice. E.g. AWS Lake Formation Connector for Pull Mode.

  4. Open the AWS Lake Formation application.

  5. Enable the Access Management option with toggle button.

Connection Details

Provide the AWS account ID, region, and IAM role where AWS Lake Formation is configured.

Warning

  • Replace the below example value with your actual value.
YAML
1
2
3
4
CONNECTOR_LAKEFORMATION_AWS_ACCOUNT_ID: "123456789012"
CONNECTOR_LAKEFORMATION_AWS_REGION: "us-west-2"
CONNECTOR_USE_POD_IAM_ROLE: "true"
CONNECTOR_POD_IAM_ROLE_ARN: "pod-iam-role-arn"
  1. Under the BASIC tab, enter the values for:
    • AWS Account ID : 123456789012
    • AWS Assume IAM Role ARN : Use the role ARN created for the AWS Lake Formation connector
    • AWS Region : us-west-2

Managed Databases

This property specifies a comma-separated list of database names for which access control policies will be applied. To manage all databases, do not specify this property. You can use wildcard characters (*) to match multiple databases.

Example: test_database1,test_database2,sales_*.

Warning

  • Values are case-sensitive.
  • Replace the below example value with your actual value.
YAML
1
CONNECTOR_LAKEFORMATION_LF_MANAGE_DATABASE_LIST: "test_database"
  1. Under the BASIC tab, enter the values for:
    • Database names to set access control policies : test_database

Apply the Configuration

After all the changes are done you can start the connector by running the following instructions:

Step 1 - Setup which generates the helm charts. This step usually takes few minutes.

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
Step 2 - Apply the Privacera Manager helm charts.
Bash
1
2
cd ~/privacera/privacera-manager
./pm_with_helm.sh upgrade
Step 3 - Post-installation step which generates Plugin tar ball, updates Route 53 DNS and so on.

Bash
1
2
cd ~/privacera/privacera-manager
./privacera-manager.sh post-install

  1. Once all the required fields are filled, click SAVE.

  2. The configured Lakeformation Pull Mode connector appears under Connected Applications.

  3. Once saved and enabled, the Lakeformation Pull Mode connector will start. Then you can hover on the VIEW LOGS button to check the status, either Running or Stopped.

  4. Perform the following steps to restart the Lakeformation Pull Mode connector application:

    1. Navigate to SettingsApplications → select the Lakeformation Pull Mode connector application.

    2. Edit the application by disabling the Access Management option with toggle button and then Save it.

    3. Open the same application again and then enable the Access Management option with toggle button and then Save it.

Validation

To validate the Lake Formation Pull Mode connector setup, follow the steps below:

  1. Verify the Roles in Privacera Portal

    1. Navigate to the Privacera Portal.
    2. Click on the Users/Groups/Roles under the Access Management section.
    3. Click on the Roles tab and verify that the roles for the AWS Lake Formation connector are created.

  2. Verify the Resource Policies in AWS Lake Formation

    1. Navigate to the AWS Lake Formation console.
    2. In the left pane, click on Data permissions under the Permissions section.
    3. Click on Grant to assign permissions to roles.
    4. Under the Principals section, select IAM users and roles and choose one or more IAM users or roles.
    5. Under LF-Tags or catalog resources, select Named Data Catalog resources and update the following fields by selecting values from the dropdown:
      • Catalogs
      • Databases
      • Tables
    6. Choose the appropriate Table Permissions to grant access.
    7. Click Grant to apply the permissions.
    8. Verify the resource policies in the Privacera Portal by navigating to the Access ManagementResource Policies.
    9. Verify the resource policy under the privacera_hive repository.

Comments