Set Up AWS S3 as Private Data Storage in User Mode
This page guides you through how to set up your Alteryx Analytics Cloud (AAC) workspace with AWS S3 as the Private Data Storage in User mode.
What is User Mode?
Important
Note that Workspace and User modes are specific to Private Data Storage only. Currently, AAConly offers these 2 modes for workspaces set up with AWS S3 as Private Data Storage.
In User mode, admins can declare multiple IAM Roles and assign the appropriate one for each user. Admins can use this feature to give different levels of access rights to different user groups.
Use User mode to govern each user's uploaded files and output results per the IAM policy assigned to each user. This means users can only view and work with their entitled files and folders.
In comparison, Workspace mode assigns the same IAM policy to all users of the workspace. Thereby giving the same access rights to files and folders to all users on the workspace.
Steps for Admin in User Mode
Switch Workspace to User Mode
By default, all workspaces are in Workspace mode. To change the workspace to User mode, change these settings on the Workspace Settings page:
Go to Profile Menu > Workspace Admin > Settings > Storage.
Set S3 Private Data Storage to Enabled.
Set Default Storage Environment to S3 Private Data Storage.
Set AWS Account Configuration Mode to User. The workspace immediately switches into User mode.
Configure Storage for all Users in Workspace
The workspace should be in user mode.
As admin, create an IAM Policy in AWS account and assigns IAM roles to the users that are invited to the workspace.
When new users are invited in the workspace in any mode, the default S3 storage and IAM role is applied to all the users.
Configure Storage for Each User
Admins can also configure storage for individual user.
Go to Profile Menu > Workspace Admin > Users.
Select the 3-dot menu next to each user and then select Configure Storage. A pop-up window appears with options to configure storage for the selected user.
Select the Authentication Method and then enter the appropriate information.
Use a cross-account role (IAM role) (Recommended Option)
Available IAM Role ARNs: Enter at least 1 IAM Role ARN.
Default IAM Role ARN: Select an appropriate role from the dropdown. The dropdown populates based on the roles entered in Available IAM Role ARNs. The system validates the Roles for syntax.
Default S3 Bucket: Enter the S3 bucket ID. The system validates this against the Default Role once you select Save. If invalid, you must enter this value again.
Use access keys
Caution
We only recommend this option when the admin trusts that the selected user has access to a bespoke S3 bucket. The user must also have access to the Access Key ID and Secret Access Key for the specific bucket.
AWS Access Key and AWS Secret Key: The user must generate these keys.
From the AWS Services Console, go to Identity and Access Management (IAM).
Go to the User section and then search for the user.
Select the User ID. The following Summary section should allow you to generate an Access Key.
Default S3 Bucket: Enter the S3 bucket ID. The system validates this against the Default Role once you select Save. If invalid, you must enter this value again.
Select Save.
Caution
It is important for admins to configure the storage for each user. If admins skip this step, the user won't be able to select the Use a cross-account role (IAM role) option when configuring storage for themselves.
Important
For admins who are also users, they must also configure storage for themselves. To do this, go to Profile menu > Preferences > AWS Credentials.
Steps for Non-Admin Users
When a user signs in for the first time after the workspace has changed to User mode, they might have additional storage configuration steps.
If the admin has already configured the storage, however, the user shouldn't have additional steps.
Caution
If the storage configuration is not as expected by the user, they should contact their admin.
Customize User Storage Configuration
When in User mode, you can edit the existing S3 Private Data Storage configuration.
Go to Profile Menu > User Preferences > Storage and then select Edit. The default authentication settings set by the admin apply to all new user's storage settings. However, as a user, you can override them.
If the admin set Use a cross-account role (IAM role) as the Authentication Method, you can use the admin's configuration or switch to another appropriate role and S3 bucket.
If the admin set Use access keys as the Authentication Method, or didn't configure storage for you, you must set up storage with your own Access Keys.