Is it possible to configure aws credentials in the backend of dataiku and disable the use of this credentials by user . I want to only make it usable by dss only.
Example: I have configured credentials in my dataiku backend . This credentials permit to assume other aws roles ( STS with Assume Role) . I want to create S3 connection (STS with Assume Role) but i need to block usage in python recipe or something else for users so they couldn't assume someone esle identity .
I want to make this credentials only usable by a dataiku connection ( with STS assume role) , or EMR plugin or EKS.
Hi, @papam ! Can you provide any further details on the thread to assist users in helping you find a solution (insert examples like DSS version etc.) Also, can you let us know if you’ve tried any fixes already? This should lead to a quicker response from the community.
You can restrict the usage of connections in DSS through the use of Groups. You can assign users to a particular group(s) and then give those groups permission to create projects, flows and code.
Then under Connections you can specify the groups that should have access to the connection:
Only users in these groups will be able to use the connection information to create new data sets from it and write back to it from recipes. Other users will only be able to use the datasets previously created by users that have access to the connection.
In Python recipes, the connection information won't be visible to users in a non-admin group. For example, running the following code as a user in a group without the 'Administrator' checkbox checked will fail with a permissions error:
client = dataiku.api_client() dss_connections = client.list_connections()
indicating that only administrator users are allowed to view and modify connections in Python code.