Want to Stop Rebuilding "Expensive" Parts of your Flow? Explicit Builds are the Answer!READ MORE

does DSS support switch IAM role?

Solved!
tomas
Neuron
Neuron
does DSS support switch IAM role?
Does DSS support the switch of IAM role, as described here? https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-api.html

To access an S3 bucket in other account we would need to switch and use a cross account role,

Thanks
0 Kudos
1 Solution
Jediv
Dataiker
Dataiker
Hi, DSS now supports switching IAM roles for access to S3 connections. The best practice here is to separate out your s3 access policy into a separate role and then set up assumeRole permissions on your connection. In detail:
 
1. Create a separate role with your s3 access policy. See here for an example of the inline policy. We'll call this role Dataiku-DSS-S3-Access:
 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:GetEncryptionConfiguration",
                "s3:ListBucketMultipartUploads",
                "s3:AbortMultipartUpload",
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::dataiku-bucket",
                "arn:aws:s3:::dataiku-bucket/*"
            ]
        }
    ]
}
 
2. Assuming that your roles are in the same account you can just update the trust policy of your new role to allow your instance profile role to assume it:
{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "DSS-S3-AccessTrustPolicy",
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Principal": {
            "AWS": "arn:aws:iam::XXXXXX:role/name-of-your-instance-profile-role"
        }
    }]
}
 
3. If you're going cross account, you'll need to give assumeRole permissions to your instance profile role as well:
 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:PassRole",
"iam:AssumeRole"
            ],
            "Resource": [
"arn:aws:iam::XXXXXXXXX:role/Dataiku-DSS-S3-Access"
            ]
        }
    ]
}
 
4. In Dataiku, switch your connection to use this new role:
 
 
 
Pasted_Image_1_14_22__1_49_PM.png

 

View solution in original post

3 Replies
Clément_Stenac
Dataiker
Dataiker
Hi, DSS does not have support for assume role at the moment. Working with this is in our backlog.
0 Kudos
Jediv
Dataiker
Dataiker
Hi, DSS now supports switching IAM roles for access to S3 connections. The best practice here is to separate out your s3 access policy into a separate role and then set up assumeRole permissions on your connection. In detail:
 
1. Create a separate role with your s3 access policy. See here for an example of the inline policy. We'll call this role Dataiku-DSS-S3-Access:
 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:GetEncryptionConfiguration",
                "s3:ListBucketMultipartUploads",
                "s3:AbortMultipartUpload",
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::dataiku-bucket",
                "arn:aws:s3:::dataiku-bucket/*"
            ]
        }
    ]
}
 
2. Assuming that your roles are in the same account you can just update the trust policy of your new role to allow your instance profile role to assume it:
{
    "Version": "2012-10-17",
    "Statement": [{
        "Sid": "DSS-S3-AccessTrustPolicy",
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Principal": {
            "AWS": "arn:aws:iam::XXXXXX:role/name-of-your-instance-profile-role"
        }
    }]
}
 
3. If you're going cross account, you'll need to give assumeRole permissions to your instance profile role as well:
 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:PassRole",
"iam:AssumeRole"
            ],
            "Resource": [
"arn:aws:iam::XXXXXXXXX:role/Dataiku-DSS-S3-Access"
            ]
        }
    ]
}
 
4. In Dataiku, switch your connection to use this new role:
 
 
 
Pasted_Image_1_14_22__1_49_PM.png

 
ABDULBASEER
Level 1

Hi Jed, is this assumedRole connection setup available on HDFS connections or is it just for S3 connections? 

0 Kudos

Labels

?
Labels (2)
A banner prompting to get Dataiku