Skip to main content

Privacera Documentation

Multiple AWS S3 IAM role support in Data Access Server

Privacera's Data Access Server supports IAM Role configuration, which will be assumed to send requests to AWS S3 (including bucket level).

You want to run Spark queries in Databricks to query data available in buckets which are in multiple AWS accounts. Mutliple IAM role support in the Data Access Server will solve the problem by mapping buckets into specific IAM roles.

For each query, Privacera's Data Access Server will:

  1. Extract bucketName from the request.

  2. Find the IAM Role to be assumed from the mapping property, DATASERVER_AWS_S3_MULTI_ACCOUNT_MAPPING.

To configure an IAM role:

  1. SSH to EC2 instance where Privacera Dataserver is installed.

  2. Enable multi-account access in Privacera Dataserver. Click the tab to reveal steps for Privacera Manager CLI and UI.

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.dataserver.aws.yml config/custom-vars/
    vi config/custom-vars/vars.dataserver.aws.yml
    
  3. Update the values of the following properties.

    DATASERVER_AWS_S3_MULTI_ACCOUNT_ACCESS_ENABLE:"true"
    DATASERVER_AWS_S3_MULTI_ACCOUNT_DEFAULT_IAM:"<default-role-ARN>"
    DATASERVER_AWS_S3_MULTI_ACCOUNT_MAPPING:-"<role-arn>|<bucketA,bucketB*>"-"<role-arn>|<bucketC*,bucketD>"

    Property

    Description

    DATASERVER_AWS_S3_MULTI_ACCOUNT_ACCESS_ENABLE

    Enables or disables the AWS S3 multiple IAM role support in Dataserver.

    DATASERVER_AWS_S3_MULTI_ACCOUNT_DEFAULT_IAM

    Sets the role ARN of the AWS S3 bucket. The default IAM role will be used, if IAM Role mapping is not found for any S3 bucket This bucket can be a shared bucket containing common artifacts or resources.

    DATASERVER_AWS_S3_MULTI_ACCOUNT_MAPPING

    Defines the mapping between role ARNs and buckets. You can add comma-separated buckets.

    Note

    • The above role-bucket mapping is applicable to only the AWS S3 service and not other AWS services. To authenticate other AWS services, Dataserver will always use DefaultRole.

    • Wildcards are supported while specifying bucket names in the mapping. For example: buck*.

  4. Run the following command to update Privacera Manager. Click the tab to reveal steps for Privacera Manager CLI and UI.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    
  5. Set assume role permission for Dataserver Instance Role in AWS console.

    Note

    The IAM role used for Privacera Dataserver instance will be used to assume other roles. Hence, this IAM role (instance IAM role) should have permissions to assume other roles (IAM roles configured in Security config JSON) which can be given from AWS Console.

    1. Log in to the AWS console.

    2. Go to IAM Service and click Roles.

    3. Select Privacera Dataserver Role and edit the existing role or select Add New Policy.

    4. Enter the following definition:

              {
              "Version": "2012-10-17",
              "Statement": [
                  {
                  "Sid": "VisualEditor0",
                  "Effect": "Allow",
                  "Action": "sts:AssumeRole",
                  "Resource": [
                      "arn:aws:iam::123456789012:role/RoleA",
                      "arn:aws:iam::987654321012:role/RoleB",
                      "arn:aws:iam::123456654321:role/DefaultRole"
                  ]
                  }
              ]
              }
  6. Each IAM Role which is added above needs to have trust on the IAM role attached to your Privacera Dataserver. For example: arn:aws:iam::999999999999:role/PRIV_DATASERVER_ROLE.

    1. Go to IAM Service and click Roles.

    2. Select your IAM Role and edit Trust Relationship.

    3. Enter the following definition:

              {
              "Version": "2012-10-17",
              "Statement": [
                  {
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": [
                      "arn:aws:iam::999999999999:role/PRIV_DATASERVER_ROLE"
                      ]
                  },
                  "Action": "sts:AssumeRole"
                  }
              ]
              }