Skip to content

Configure cross account profile

This section explains how to configure a single profile in DataServer to enable cross-account access to Amazon S3 using a single IAM role. With this setup, DataServer can access S3 buckets across multiple AWS accounts through a unified profile configuration. This setup is supported in the File Explorer UI, AWS CLI, and Spark OLAC, using STS token-based signing for authentication.

Note

  • When using the cross-account profile configuration with a single IAM role, the File Explorer UI does not display a list of buckets.
  • To access a specific bucket, enter the bucket name followed by a slash (e.g., bucket_name/) in the File Explorer search box to view its contents.
  • Similarly, the AWS CLI command aws s3 ls will not list all buckets. You must specify the full bucket path (e.g., aws s3 ls s3://bucket_name/) to view the contents.

Single vs. Multiple IAM Profile Configuration

Feature Single IAM Role (Single Profile) Multiple IAM Roles (Multiple Profiles)
Setup Complexity Simple – only one IAM role and profile needed Complex – separate IAM role and profile per account
Scalability High – supports new accounts without config changes Low – requires updating DataServer config for each new account
Bucket Listing in UI/CLI Buckets will not be listed; needs to access each bucket individually (e.g., bucket_name/) Buckets are listed automatically in File Explorer UI and AWS CLI
Ease of Management Easier – centralized control Complex – decentralized, multiple roles to manage
Recommended For Large, growing multi-account setups Small or fixed set of accounts where bucket listing is critical

For more details on how to configure multiple profile accounts, refer to Configure Multiple IAM Roles section.

Prerequisites

To set up cross-account access, ensure the following requirements are met:

  • IAM Role with S3 Access Policy: The IAM role must have an attached policy that grants appropriate permissions to access the required Amazon S3 buckets
  • Trust Relationship for STS: The IAM role must include a trust policy that allows it to be assumed via AWS Security Token Service (STS).
  • Bucket Policy in the Target Account: Each target S3 bucket in the external AWS account must include a bucket policy that grants access to the IAM role’s ARN from the source account.

Instance/STS IAM Role Configuration

  • Create a dedicated IAM role in Account-A. This role will serve both as the pod-level IAM role and the STS role used to obtain temporary credentials.
  • Attach a policy to this role that grants the necessary Amazon S3 permissions (e.g., s3:GetObject, s3:PutObject, s3:ListBucket) on the required S3 buckets.
  • Enable cross-account access by updating the bucket policies in Account-B to include this role’s ARN in the Principal section.

Create IAM Role in Account-A

  1. Create an IAM role in Account-A with the following trust relationship:
    • The role must trust the OIDC provider associated with the EKS cluster to allow pod-level access.
    • The role must also trust itself to enable STS-based credential retrieval.
  2. Attach an IAM Policy to the role that grants the required Amazon S3 permissions, such as s3:GetObject, s3:PutObject, s3:ListBucket
  3. Configure Cross-Account Access by updating the bucket policies in Account-B to include this role’s ARN in the Principal section.
  4. Refer to the sample IAM role template below to create the role in Account-A.

    Note

    • Make sure to update the placeholders in the below configuration with your actual values.
    • The UPDATE_ROLE_NAME_A should be the name of the IAM role you want to create.
    • The UPDATE_ACCOUNT_A_ID should be the AWS account ID of Account-A.
    • The UPDATE_ACCOUNT_A_S3_BUCKET_NAME should be the name of the S3 bucket in Account-A.
    • The UPDATE_CROSS_ACCOUNT_S3_BUCKET_NAME should be the name of the S3 bucket in Account-B.
    • The OIDC_ID should be the OIDC ID of the EKS cluster.
    • To get the OIDC_ID and OIDC_REGION you can run the following command:
      Bash
      1
      2
      3
      aws eks list-clusters --output text
      
      aws eks describe-cluster --name <EKS_CLUSTER_NAME> --query "cluster.identity.oidc.issuer" --output text
      
    Sample IAM Role Creation Template
    JSON
    {
      "AWSTemplateFormatVersion": "2010-09-09",
      "Resources": {
        "PrivaceraDataServerTrustIAMRole": {
          "Type": "AWS::IAM::Role",
          "Properties": {
            "RoleName": "<UPDATE_ROLE_NAME_A>",
            "Path": "/",
            "AssumeRolePolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Principal": {
                    "Service": "ec2.amazonaws.com"
                  },
                  "Action": "sts:AssumeRole"
                },
                {
                  "Effect": "Allow",
                  "Principal": {
                    "Federated": "arn:aws:iam::<UPDATE_ACCOUNT_A_ID>:oidc-provider/oidc.eks.<UPDATE_REGION>.amazonaws.com/id/<OIDC_ID>"
                  },
                  "Action": "sts:AssumeRoleWithWebIdentity",
                  "Condition": {
                    "StringLike": {
                      "oidc.eks.<UPDATE_OIDC_REGION>.amazonaws.com/id/<UPDATE_OIDC_ID>:aud": "sts.amazonaws.com",
                      "oidc.eks.<UPDATE_OIDC_REGION>.amazonaws.com/id/<UPDATE_OIDC_ID>:sub": "system:serviceaccount:*:dataserver-privacera-sa"
                    }
                  }
                },
                {
                  "Effect": "Allow",
                  "Principal": {
                    "AWS": [
                      "arn:aws:iam::<UPDATE_ACCOUNT_A_ID>:role/<UPDATE_ROLE_NAME_A>"
                    ]
                  },
                  "Action": "sts:AssumeRole"
                }
              ]
            },
            "Policies": [
              {
                "PolicyName": "privacera-dataserver-cross-account-s3-access-policy",
                "PolicyDocument": {
                  "Version": "2012-10-17",
                  "Statement": [
                    {
                      "Effect": "Allow",
                      "Action": "s3:*",
                      "Resource": [
                        "arn:aws:s3:::<UPDATE_ACCOUNT_A_S3_BUCKET_NAME>",
                        "arn:aws:s3:::<UPDATE_ACCOUNT_A_S3_BUCKET_NAME>/*",
                        "arn:aws:s3:::<UPDATE_CROSS_ACCOUNT_S3_BUCKET_NAME>",
                        "arn:aws:s3:::<UPDATE_CROSS_ACCOUNT_S3_BUCKET_NAME>/*"
                      ]
                    }
                  ]
                }
              }
            ]
          }
        }
      }
    }
    
  5. Once you’ve updated the template, you can validate it using the AWS CLI

    Bash
    aws cloudformation validate-template --template-body file://your-iam-role-template.json
    
  6. After validation, you can create the stack using the AWS CLI

    Bash
    aws cloudformation create-stack --stack-name <UPDATE_STACK_NAME> --template-body file://your-iam-role-template.json --capabilities CAPABILITY_NAMED_IAM
    

Update Bucket Policy in Account-B

To enable cross-account access, you must update the bucket policy of the target Amazon S3 bucket in Account-B to allow access from the IAM role in Account-A. Follow the steps below to update the bucket policy:

  1. Log in to the AWS Management Console for Account-B.
  2. Navigate to the S3 service.
  3. Select the target S3 bucket you want to allow access to.
  4. Go to the Permissions tab and click Bucket Policy to edit it.
  5. Add a new statement to the bucket policy that allows access from the IAM role created in Account-A.
  6. Ensure the policy includes the IAM role ARN from Account-A in the Principal section.
  7. Verify that the bucket policy is in valid JSON format and follows the correct syntax.
  8. Click Save changes to apply the updated bucket policy.
  9. Refer to the sample bucket policy below for guidance on granting access to the IAM role from Account-A.

    Note

    • Make sure to update the placeholders in the below configuration with your actual values.
    • The UPDATE_ACCOUNT_A_ID should be the AWS account ID of Account-A.
    • The UPDATE_ROLE_NAME_A should be the name of the IAM role you created in Account-A.
    • The UPDATE_CROSS_ACCOUNT_S3_BUCKET_NAME should be the name of the S3 bucket in Account-B that you want to allow access to.
    Sample S3 Bucket Policy
    JSON
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": [
              "arn:aws:iam::<UPDATE_ACCOUNT_A_ID>:role/<UPDATE_ROLE_NAME_A>"
            ]
          },
          "Action": "s3:*",
          "Resource": [
            "arn:aws:s3:::<UPDATE_CROSS_ACCOUNT_S3_BUCKET_NAME>",
            "arn:aws:s3:::<UPDATE_CROSS_ACCOUNT_S3_BUCKET_NAME>/*"
          ]
        }
      ]
    }
    

DataServer Configuration

  1. SSH into the instance where Privacera Manager is installed.
  2. Open the vars.dataserver.aws.yml file in your preferred editor:
    Bash
    vi config/custom-vars/vars.dataserver.aws.yml
    
  3. Modify the following properties:

    Note

    • Make sure to update the placeholders in the below configuration with your actual values.
    • The DATASERVER_USE_POD_IAM_ROLE should be set to true to use the IAM role for the DataServer pod.
    • The DATASERVER_IAM_ROLE_ARN should be the same as the STS_ROLE in the profile properties, which is required for cross-account access.

    YAML
    DATASERVER_USE_POD_IAM_ROLE: "true"
    DATASERVER_IAM_ROLE_ARN: "arn:aws:iam::<UPDATE_ACCOUNT_A_ID>:role/<UPDATE_ROLE_NAME_A>"
    
    DATASERVER_AWS_MULTI_ACCOUNT_PROFILE_ENABLE: "true"
    DATASERVER_AWS_PROFILE_NAMES: "cross_account_profile"
    DATASERVER_AWS_PROFILE_NAME_DEFAULT: "cross_account_profile"
    DATASERVER_AWS_PROFILE_PROPERTIES:
    - PROFILE_NAME: "cross_account_profile"
      PROFILE_PROPERTIES:
        - AUTHN_METHOD: "INSTANCE_IAM"
        - STS_ROLE: "arn:aws:iam::<UPDATE_ACCOUNT_A_ID>:role/<UPDATE_ROLE_NAME_A>"
        - STS_TOKEN_SIGNING_ENABLE: "true"
        - REGION: "<UPDATE_REGION>"
    
    4. Once the properties are configured, refer to the Privacera Manager Quickstart.

Validation

  • To validate the configuration, refer to the AWS User Guide Section section.
  • In the File Explorer search box, use the appropriate bucket name ending with a slash (e.g., bucket_name/) to access the bucket.
  • In the AWS CLI, use the full bucket path (e.g., aws s3 ls s3://bucket_name/) to access the bucket.

Comments