Configure cross account profile¶
This section explains how to configure a single profile in DataServer to enable cross-account access to Amazon S3 using a single IAM role. With this setup, DataServer can access S3 buckets across multiple AWS accounts through a unified profile configuration. This setup is supported in the File Explorer UI, AWS CLI, and Spark OLAC, using STS token-based signing for authentication.
Note
- When using the cross-account profile configuration with a single IAM role, the File Explorer UI does not display a list of buckets.
- To access a specific bucket, enter the bucket name followed by a slash
(e.g., bucket_name/)
in the File Explorer search box to view its contents. - Similarly, the AWS CLI command
aws s3 ls
will not list all buckets. You must specify the full bucket path(e.g., aws s3 ls s3://bucket_name/)
to view the contents.
Single vs. Multiple IAM Profile Configuration¶
Feature | Single IAM Role (Single Profile) | Multiple IAM Roles (Multiple Profiles) |
---|---|---|
Setup Complexity | Simple – only one IAM role and profile needed | Complex – separate IAM role and profile per account |
Scalability | High – supports new accounts without config changes | Low – requires updating DataServer config for each new account |
Bucket Listing in UI/CLI | Buckets will not be listed; needs to access each bucket individually (e.g., bucket_name/) | Buckets are listed automatically in File Explorer UI and AWS CLI |
Ease of Management | Easier – centralized control | Complex – decentralized, multiple roles to manage |
Recommended For | Large, growing multi-account setups | Small or fixed set of accounts where bucket listing is critical |
For more details on how to configure multiple profile accounts, refer to Configure Multiple IAM Roles section.
Prerequisites¶
To set up cross-account access, ensure the following requirements are met:
- IAM Role with S3 Access Policy: The IAM role must have an attached policy that grants appropriate permissions to access the required Amazon S3 buckets
- Trust Relationship for STS: The IAM role must include a trust policy that allows it to be assumed via AWS Security Token Service (STS).
- Bucket Policy in the Target Account: Each target S3 bucket in the external AWS account must include a bucket policy that grants access to the IAM role’s ARN from the source account.
Instance/STS IAM Role Configuration¶
- Create a dedicated IAM role in Account-A. This role will serve both as the pod-level IAM role and the STS role used to obtain temporary credentials.
- Attach a policy to this role that grants the necessary Amazon S3 permissions
(e.g., s3:GetObject, s3:PutObject, s3:ListBucket)
on the required S3 buckets. - Enable cross-account access by updating the bucket policies in Account-B to include this role’s ARN in the Principal section.
Create IAM Role in Account-A¶
- Create an IAM role in Account-A with the following trust relationship:
- The role must trust the OIDC provider associated with the EKS cluster to allow pod-level access.
- The role must also trust itself to enable STS-based credential retrieval.
- Attach an IAM Policy to the role that grants the required Amazon S3 permissions, such as
s3:GetObject
,s3:PutObject
,s3:ListBucket
- Configure Cross-Account Access by updating the bucket policies in Account-B to include this role’s ARN in the Principal section.
-
Refer to the sample IAM role template below to create the role in Account-A.
Note
- Make sure to update the placeholders in the below configuration with your actual values.
- The
UPDATE_ROLE_NAME_A
should be the name of the IAM role you want to create. - The
UPDATE_ACCOUNT_A_ID
should be the AWS account ID of Account-A. - The
UPDATE_ACCOUNT_A_S3_BUCKET_NAME
should be the name of the S3 bucket in Account-A. - The
UPDATE_CROSS_ACCOUNT_S3_BUCKET_NAME
should be the name of the S3 bucket in Account-B. - The
OIDC_ID
should be the OIDC ID of the EKS cluster. - To get the
OIDC_ID
andOIDC_REGION
you can run the following command:
Sample IAM Role Creation Template
-
Once you’ve updated the template, you can validate it using the AWS CLI
Bash -
After validation, you can create the stack using the AWS CLI
Bash
Update Bucket Policy in Account-B¶
To enable cross-account access, you must update the bucket policy of the target Amazon S3 bucket in Account-B to allow access from the IAM role in Account-A. Follow the steps below to update the bucket policy:
- Log in to the AWS Management Console for Account-B.
- Navigate to the S3 service.
- Select the target S3 bucket you want to allow access to.
- Go to the Permissions tab and click Bucket Policy to edit it.
- Add a new statement to the bucket policy that allows access from the IAM role created in Account-A.
- Ensure the policy includes the IAM role ARN from Account-A in the Principal section.
- Verify that the bucket policy is in valid JSON format and follows the correct syntax.
- Click Save changes to apply the updated bucket policy.
-
Refer to the sample bucket policy below for guidance on granting access to the IAM role from Account-A.
Note
- Make sure to update the placeholders in the below configuration with your actual values.
- The
UPDATE_ACCOUNT_A_ID
should be the AWS account ID of Account-A. - The
UPDATE_ROLE_NAME_A
should be the name of the IAM role you created in Account-A. - The
UPDATE_CROSS_ACCOUNT_S3_BUCKET_NAME
should be the name of the S3 bucket in Account-B that you want to allow access to.
Sample S3 Bucket Policy
DataServer Configuration¶
- SSH into the instance where Privacera Manager is installed.
- Open the
vars.dataserver.aws.yml
file in your preferred editor:Bash -
Modify the following properties:
Note
- Make sure to update the placeholders in the below configuration with your actual values.
- The
DATASERVER_USE_POD_IAM_ROLE
should be set totrue
to use the IAM role for the DataServer pod. - The
DATASERVER_IAM_ROLE_ARN
should be the same as theSTS_ROLE
in the profile properties, which is required for cross-account access.
4. Once the properties are configured, refer to the Privacera Manager Quickstart.
Validation¶
- To validate the configuration, refer to the AWS User Guide Section section.
- In the File Explorer search box, use the appropriate bucket name ending with a slash
(e.g., bucket_name/)
to access the bucket. - In the AWS CLI, use the full bucket path
(e.g., aws s3 ls s3://bucket_name/)
to access the bucket.