Skip to content

Configure STS Role

Perform the following steps to configure STS role.

  1. To set the AWS Security Token Service (STS) role, include the following property in the vars.dataserver.aws.yml file:
    YAML
    1
2
3
4
    DATASERVER_AWS_PROFILE_PROPERTIES:
- PROFILE_NAME: "aws_account1"
  PROFILE_PROPERTIES:
    - STS_ROLE: "arn:aws:iam::<account_id>:role/<your_STS_role>"
  2. Once the properties are configured, refer to the Privacera Manager Quickstart.
  1. In PrivaceraCloud, navigate to Settings -> Applications.
  2. On the Connected Applications screen, select S3.
  3. On the screen, click the edit icon, and then click on Access Management -> ADVANCED tab.
  4. Add the following property with the appropriate value for <your_profile_name>, <account_id>, and <your_STS_role>:
    Properties
    1
    dataserver.aws.<your_profile_name>.sts.role=arn:aws:iam::<account_id>:role/<your_STS_role>
  5. Click the Test Connection button to verify the connection.
  6. Once the connection is successful, click Save.

Add UserInfo in S3 Requests

This feature enables the logging of the privacera-username attempting to access S3 data via the Privacera Dataserver in the AWS CloudWatch logs.

You can find the privacera-username represented as a request parameter {privacera-user: callingUser} in the AWS CloudWatch Logs for the specific resource that the calling user is attempting to access.

To enable this feature, follow these steps:

  1. Navigate to Settings > Applications > S3, and click the pencil icon to edit properties.
  2. Toggle the button for the service you wish to enable.
  3. In the ADVANCED tab, add the following custom property:
    Properties
    1
    dataserver.aws.request.include.userinfo: true
  4. Click Save.

Create Custom S3 Service Repository

For information on using a custom s3 service repository, visit - Use Custom Service Repository for S3.

Configuration to avoid removing S3 directory markers from access check

By default, the Privacera Dataserver removes the S3 directory markers _$folder$, __PLACEHOLDER__ from the resource path before applying the access check on OLAC use cases.

To enable access check including the directory marker set the following property in the vars.dataserver.aws.yml file as:

YAML
1
DATASERVER_SIGNER_REMOVE_SPARK_S3_DIRECTORY_MARKER: "false"

If the above property is set to false an access extra audit will be generated on the resource path with a directory marker prefix.

A policy needs to be created in S3 service repository to grant appropriate access on the directory path as below:

Text Only
1
2
Bucket Name : mybucket
Object Path : *_$folder$* or *__PLACEHOLDER__

Comments