Configure for AWS Authentication
This section provides high-level information on the different configuration methods by which Designer Cloud Powered by Trifacta Enterprise Edition authenticates to AWS resources. From here, you can jump to:
Configuration Tasks: Step-by-step tasks for configuring the product for a specific AWS authentication method.
AWS Authentication Topics: Detailed documentation on various authentication methods.
Overview
Designer Cloud Powered by Trifacta Enterprise Edition provides the following methods of authenticating to AWS.
AWS authentication mode
When connecting to AWS, Designer Cloud Powered by Trifacta Enterprise Edition supports the following basic authentication modes.
AWS Mode | Description |
---|---|
System | All users of the workspace use the same set of credentials to authenticate to AWS. Access to AWS resources is managed through a single, system account. The type of account that you specify is based on the credential provider selected below. |
User | Each user of the workspace uses a personal set of credentials to authenticate. Authentication must be specified for individual users. Tip Although the steps are more involved to set up and manage per-user authentication, this method provides superior security, data governance, and overall management. |
AWS credential provider type
For each access mode, Designer Cloud Powered by Trifacta Enterprise Edition supports the following types of credential providers:
Credential Provider Type | Description |
---|---|
default | Credentials are provided in the form of AWS key/secret combinations. |
instance | Credentials are provided in the form of roles associated with the EC2 instance for the product. |
temporary | Credentials are provided in the form of IAM roles. Tip This method is recommended. |
EMR authentication mode
Similar to general AWS access, Designer Cloud Powered by Trifacta Enterprise Edition supports the following modes for providing credentials for EMR for running jobs.
EMR system mode: All workspace users use the same AWS key/secret combination to access EMR.
EMR user mode: Each workspace user submits a personal set of credentials to access EMR.
The following table illustrates how AWS mode and EMR mode work together:
AWS mode | System | User |
EMR mode | ||
System | AWS and EMR use a single key-secret combination. |
|
User | Not supported. | AWS and EMR use the same per-user credentials for access. Per-user credentials can be provided from one of several different providers. |
SSO support
Designer Cloud Powered by Trifacta Enterprise Edition supports integration with a SAML SSO credential provider for AWS resources. Additional details are provided below.
Basic Configuration
Before you configure
Tip
If you prefer, you can review the available authentication tasks to see if one matches your environment.
Before you configure the product, please verify the following:
You have chosen the AWS mode to use.
You have chosen the credential provider type to use.
You have defined and enabled the credentials required to support the above configuration choices.
Configure AWS mode and credential provider
The following table breaks down the configuration of credentials based on the credential type and the AWS mode based on the setting of two key parameters. These two basic parameters can be configured at the same time.
credential provider - source of credentials: platform (default), instance (EC2 instance only), or temporary
AWS mode - the method of authentication from platform to AWS: system-wide or by-user
Note
If you are using AWS user mode or SSO, additional configuration is required.
To configure:
Login to the Trifacta Application as an administrator.
You can apply this change through the Admin Settings Page (recommended) or
trifacta-conf.json
. For more information, see Platform Configuration Methods.Apply the following configuration to the platform.
AWS Mode | System | User |
Credential Provider | ||
Default | One system-wide key/secret combo is inserted in the platform for use | Each user provides key/secret combo. |
Config: "aws.credentialProvider": "default", "aws.mode": "system", "aws.s3.key": <key>, "aws.s3.secret": <secret>, | Config: "aws.credentialProvider": "default", "aws.mode": "user", | |
Instance | Platform uses roles from the EC2 instance where the platform is running. | Not supported. |
Config: "aws.credentialProvider": "instance", "aws.mode": "system", | Config: n/a | |
Temporary | Temporary credentials are issued based on system IAM roles. | Per-user authentication when using IAM role. |
Config: "aws.credentialProvider": "temporary", "aws.mode": "system", "aws.systemIAMRole": "<IAMRole">, | Config: "aws.credentialProvider": "temporary", "aws.mode": "user", |
Default credential provider
Whether the AWS access mode is set to system or user, the default credential provider for AWS and S3 resources is the Designer Cloud Powered by Trifacta platform.
Mode | Description | Configuration |
---|---|---|
"aws.mode": "system", | A single AWS Key and Secret is inserted into platform configuration. This account is used to access all resources and must have the appropriate permissions to do so. | "aws.s3.key": "<your_key_value>", "aws.s3.secret": "<your_key_value>", |
"aws.mode": "user", | Each user must specify an AWS Key and Secret into the account to access resources. | For more information on configuring individual user accounts, see Configure Your Access to S3. |
Default credential provider with EMR:
If you are using this method and integrating with an EMR cluster:
Copying the custom credential JAR file must be added as a bootstrap action to the EMR cluster definition. See Configure for EMR.
As an alternative to copying the JAR file, you can use the EMR EC2 instance-based roles to govern access. In this case, you must set the following parameter:
"aws.emr.forceInstanceRole": true,
For more information, see Configure for EC2 Role-Based Authentication.
Instance credential provider
When the platform is running on an EC2 instance, you can manage permissions through pre-defined IAM roles.
Note
AWS mode must be set to system
.
Note
If the Designer Cloud Powered by Trifacta platform is connected to an EMR cluster, you can force authentication to the EMR cluster to use the specified IAM instance role. See Configure for EMR.
For more information, see Configure for EC2 Role-Based Authentication.
Temporary credential provider
For even better security, you can enable use temporary credentials provided from your AWS resources based on an IAM role specified per user.
Tip
This method is recommended by AWS.
Set the following properties.
Property | Description |
---|---|
"aws.credentialProvider" |
|
Per-user authentication
Individual users can be configured to provide temporary credentials for access to AWS resources, which is a more secure authentication solution.
Optionally, you can leverage your existing S3 permission scheme by modifying the IAM role or roles used to access S3.
For more information, see Configure AWS Per-User Auth for Temporary Credentials.
Configure authentication for EMR
For more information, see Configure for EMR.