Configure cross account profile¶

This section explains how to configure a single profile in DataServer to enable cross-account access to Amazon S3 using a single IAM role. With this setup, DataServer can access S3 buckets across multiple AWS accounts through a unified profile configuration. This setup is supported in the File Explorer UI, AWS CLI, and Spark OLAC, using STS token-based signing for authentication.

Note

When using the cross-account profile configuration with a single IAM role, the File Explorer UI does not display a list of buckets.
To access a specific bucket, enter the bucket name followed by a slash (e.g., bucket_name/) in the File Explorer search box to view its contents.
Similarly, the AWS CLI command aws s3 ls will not list all buckets. You must specify the full bucket path (e.g., aws s3 ls s3://bucket_name/) to view the contents.

Single vs. Multiple IAM Profile Configuration¶

Feature	Single IAM Role (Single Profile)	Multiple IAM Roles (Multiple Profiles)
Setup Complexity	Simple – only one IAM role and profile needed	Complex – separate IAM role and profile per account
Scalability	High – supports new accounts without config changes	Low – requires updating DataServer config for each new account
Bucket Listing in UI/CLI	Buckets will not be listed; needs to access each bucket individually `(e.g., bucket_name/)`	Buckets are listed automatically in File Explorer UI and AWS CLI
Ease of Management	Easier – centralized control	Complex – decentralized, multiple roles to manage
Recommended For	Large, growing multi-account setups	Small or fixed set of accounts where bucket listing is critical

For more details on how to configure multiple profile accounts, refer to Configure Multiple IAM Roles section.

Prerequisites¶

To set up cross-account access, ensure the following requirements are met:

IAM Role with S3 Access Policy: The IAM role must have an attached policy that grants appropriate permissions to access the required Amazon S3 buckets
Trust Relationship for STS: The IAM role must include a trust policy that allows it to be assumed via AWS Security Token Service (STS).
Bucket Policy in the Target Account: Each target S3 bucket in the external AWS account must include a bucket policy that grants access to the IAM role’s ARN from the source account.

Instance/STS IAM Role Configuration¶

Create a dedicated IAM role in Account-A. This role will serve both as the pod-level IAM role and the STS role used to obtain temporary credentials.
Attach a policy to this role that grants the necessary Amazon S3 permissions (e.g., s3:GetObject, s3:PutObject, s3:ListBucket) on the required S3 buckets.
Enable cross-account access by updating the bucket policies in Account-B to include this role’s ARN in the Principal section.

Create IAM Role in Account-A¶

Create an IAM role in Account-A with the following trust relationship:
- The role must trust the OIDC provider associated with the EKS cluster to allow pod-level access.
- The role must also trust itself to enable STS-based credential retrieval.
Attach an IAM Policy to the role that grants the required Amazon S3 permissions, such as s3:GetObject, s3:PutObject, s3:ListBucket
Configure Cross-Account Access by updating the bucket policies in Account-B to include this role’s ARN in the Principal section.

Refer to the sample IAM role template below to create the role in Account-A.

Note

Make sure to update the placeholders in the below configuration with your actual values.
The UPDATE_ROLE_NAME_A should be the name of the IAM role you want to create.
The UPDATE_ACCOUNT_A_ID should be the AWS account ID of Account-A.
The UPDATE_ACCOUNT_A_S3_BUCKET_NAME should be the name of the S3 bucket in Account-A.
The UPDATE_CROSS_ACCOUNT_S3_BUCKET_NAME should be the name of the S3 bucket in Account-B.
The OIDC_ID should be the OIDC ID of the EKS cluster.

To get the OIDC_ID and OIDC_REGION you can run the following command:

Bash
aws eks list-clusters --output text

aws eks describe-cluster --name <EKS_CLUSTER_NAME> --query "cluster.identity.oidc.issuer" --output text

Sample IAM Role Creation Template

JSON
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "PrivaceraDataServerTrustIAMRole": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "RoleName": "<UPDATE_ROLE_NAME_A>",
        "Path": "/",
        "AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Principal": {
                "Service": "ec2.amazonaws.com"
              },
              "Action": "sts:AssumeRole"
            },
            {
              "Effect": "Allow",
              "Principal": {
                "Federated": "arn:aws:iam::<UPDATE_ACCOUNT_A_ID>:oidc-provider/oidc.eks.<UPDATE_REGION>.amazonaws.com/id/<OIDC_ID>"
              },
              "Action": "sts:AssumeRoleWithWebIdentity",
              "Condition": {
                "StringLike": {
                  "oidc.eks.<UPDATE_OIDC_REGION>.amazonaws.com/id/<UPDATE_OIDC_ID>:aud": "sts.amazonaws.com",
                  "oidc.eks.<UPDATE_OIDC_REGION>.amazonaws.com/id/<UPDATE_OIDC_ID>:sub": "system:serviceaccount:*:dataserver-privacera-sa"
                }
              }
            },
            {
              "Effect": "Allow",
              "Principal": {
                "AWS": [
                  "arn:aws:iam::<UPDATE_ACCOUNT_A_ID>:role/<UPDATE_ROLE_NAME_A>"
                ]
              },
              "Action": "sts:AssumeRole"
            }
          ]
        },
        "Policies": [
          {
            "PolicyName": "privacera-dataserver-cross-account-s3-access-policy",
            "PolicyDocument": {
              "Version": "2012-10-17",
              "Statement": [
                {
                  "Effect": "Allow",
                  "Action": "s3:*",
                  "Resource": [
                    "arn:aws:s3:::<UPDATE_ACCOUNT_A_S3_BUCKET_NAME>",
                    "arn:aws:s3:::<UPDATE_ACCOUNT_A_S3_BUCKET_NAME>/*",
                    "arn:aws:s3:::<UPDATE_CROSS_ACCOUNT_S3_BUCKET_NAME>",
                    "arn:aws:s3:::<UPDATE_CROSS_ACCOUNT_S3_BUCKET_NAME>/*"
                  ]
                }
              ]
            }
          }
        ]
      }
    }
  }
}

Once you’ve updated the template, you can validate it using the AWS CLI

Bash
aws cloudformation validate-template --template-body file://your-iam-role-template.json

After validation, you can create the stack using the AWS CLI

Bash
aws cloudformation create-stack --stack-name <UPDATE_STACK_NAME> --template-body file://your-iam-role-template.json --capabilities CAPABILITY_NAMED_IAM

Update Bucket Policy in Account-B¶

To enable cross-account access, you must update the bucket policy of the target Amazon S3 bucket in Account-B to allow access from the IAM role in Account-A. Follow the steps below to update the bucket policy:

Log in to the AWS Management Console for Account-B.
Navigate to the S3 service.
Select the target S3 bucket you want to allow access to.
Go to the Permissions tab and click Bucket Policy to edit it.
Add a new statement to the bucket policy that allows access from the IAM role created in Account-A.
Ensure the policy includes the IAM role ARN from Account-A in the Principal section.
Verify that the bucket policy is in valid JSON format and follows the correct syntax.
Click Save changes to apply the updated bucket policy.

Refer to the sample bucket policy below for guidance on granting access to the IAM role from Account-A.

Note

Make sure to update the placeholders in the below configuration with your actual values.
The UPDATE_ACCOUNT_A_ID should be the AWS account ID of Account-A.
The UPDATE_ROLE_NAME_A should be the name of the IAM role you created in Account-A.
The UPDATE_CROSS_ACCOUNT_S3_BUCKET_NAME should be the name of the S3 bucket in Account-B that you want to allow access to.

Sample S3 Bucket Policy

JSON
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<UPDATE_ACCOUNT_A_ID>:role/<UPDATE_ROLE_NAME_A>"
        ]
      },
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::<UPDATE_CROSS_ACCOUNT_S3_BUCKET_NAME>",
        "arn:aws:s3:::<UPDATE_CROSS_ACCOUNT_S3_BUCKET_NAME>/*"
      ]
    }
  ]
}

DataServer Configuration¶

SSH into the instance where Privacera Manager is installed.
Open the vars.dataserver.aws.yml file in your preferred editor:
Bash
1
vi config/custom-vars/vars.dataserver.aws.yml

Modify the following properties:

Note

Make sure to update the placeholders in the below configuration with your actual values.
The DATASERVER_USE_POD_IAM_ROLE should be set to true to use the IAM role for the DataServer pod.
The DATASERVER_IAM_ROLE_ARN should be the same as the STS_ROLE in the profile properties, which is required for cross-account access.

YAML
DATASERVER_USE_POD_IAM_ROLE: "true"
DATASERVER_IAM_ROLE_ARN: "arn:aws:iam::<UPDATE_ACCOUNT_A_ID>:role/<UPDATE_ROLE_NAME_A>"

DATASERVER_AWS_MULTI_ACCOUNT_PROFILE_ENABLE: "true"
DATASERVER_AWS_PROFILE_NAMES: "cross_account_profile"
DATASERVER_AWS_PROFILE_NAME_DEFAULT: "cross_account_profile"
DATASERVER_AWS_PROFILE_PROPERTIES:
- PROFILE_NAME: "cross_account_profile"
  PROFILE_PROPERTIES:
    - AUTHN_METHOD: "INSTANCE_IAM"
    - STS_ROLE: "arn:aws:iam::<UPDATE_ACCOUNT_A_ID>:role/<UPDATE_ROLE_NAME_A>"
    - STS_TOKEN_SIGNING_ENABLE: "true"
    - REGION: "<UPDATE_REGION>"

4. Once the properties are configured, refer to the Privacera Manager Quickstart.

Validation¶

To validate the configuration, refer to the AWS User Guide Section section.
In the File Explorer search box, use the appropriate bucket name ending with a slash (e.g., bucket_name/) to access the bucket.
In the AWS CLI, use the full bucket path (e.g., aws s3 ls s3://bucket_name/) to access the bucket.

Configure cross account profile¶

Single vs. Multiple IAM Profile Configuration¶

Prerequisites¶

Instance/STS IAM Role Configuration¶

Create IAM Role in Account-A¶

Update Bucket Policy in Account-B¶

DataServer Configuration¶

Validation¶

Comments