Skip to main content

Configure AWS Per-User Auth for Temporary Credentials

For Designer Cloud Powered by Trifacta Enterprise Edition, you can configure AWS authentication on a per-user basis, using temporary credentials for superior security.

Before You Begin

You must configure your AWS mode of access: system or user. For more information, see Configure for AWS.

Enable

To enable per-user authentication using temporary credentials, the following parameters must be set:

Property

Description

"aws.readFromConfigurationService": false,

Set this value to false for Designer Cloud Powered by Trifacta Enterprise Edition, which prevents the product from retrieving AWS-related configuration information from the incorrect source.

"aws.mode": "user",

Each user can specify credentials.

To authenticate to AWS services from the Designer Cloud Powered by Trifacta platform using an IAM role:

Property

Description

"aws.ec2InstanceRoleForAssumeRole": true,

  • If true, then all users use the EC2 instance role for authenticating to the AWS STS service for their temporary credentials.

    Note

    You must ensure that the role provides adequate access to STS. Details are below.

    Tip

    This method is recommended.

  • If false, then a system-wide set of AWS key/secret credentials must be inserted into platform configuration in the Admin Settings page as the master set of credentials to access STS for temporary credentials:

    Properties to set:

    "aws.s3.key"
"aws.s3.secret"

    Note

    After specifying the above key/secret combination, you can skip to the User Access section below.

Configure Per-User Authentication using IAM Role

Please complete the following general steps.

Steps:

  1. Instance role: Create an IAM role and link it to the EC2 instance where the Trifacta node is hosted.

    1. Include the following IAM policy:

      {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::*:role/*"
        }
    ]
}

    2. For more information, see https://aws.amazon.com/premiumsupport/knowledge-center/assign-iam-role-ec2-instance/.

  2. User role: Create another IAM role and provides required access to the S3 buckets. Example:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "MyBucketAndObjectPermissions",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<my_s3_bucket>",
                "arn:aws:s3:::<my_s3_bucket>/*"
            ]
        },
        {
            "Sid": "TrifactaPublicDatasets",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::trifacta-public-datasets/*",
                "arn:aws:s3:::trifacta-public-datasets"
            ]
        }
    ]
}

    where:

    <my_s3_bucket> is the name of your bucket.

  3. Under the user role definition, edit the Trust relationship. Add the instance role to Principal:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
        "arn:aws:iam::<awsAccountId>:role/instanceRole"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

    1. For more information, see Insert Trust Relationship in AWS IAM Role.

    2. For more granular control over the Trust relationship, see https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html.

  4. AWS Glue: If you are integrating with AWS Glue, additional permissions must be set. For more information, see AWS Glue Access.

  5. Log in the Designer Cloud Powered by Trifacta platform as a Alteryx admin.

  6. Click the link to specify storage settings. Populate the values for:

    1. IAM role

    2. Role ARN

    3. S3 Bucket Name

    4. For more information, see AWS Settings Page.

  7. Save your changes.

Enable Attribute-Based Access to S3

When IAM roles are used for per-user authentication, Designer Cloud Powered by Trifacta Enterprise Edition can be configured to pass an additional attribute as part of any request for S3 resources through AWS Secure Token Service. This attribute, called a session tag, contains the Alteryx user identifier, which is the username part of the user's email address. This userId is used as the key within S3 to identify the permissions available to the user on S3. In this manner, you can leverage your existing enterprise S3 permissioning for more precise access, without having to replicate the permissioning in Designer Cloud Powered by Trifacta Enterprise Edition.

For more information on session tags, see https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html.

Prerequisites

  • S3 must be set as the base storage layer. For more information, see Set Base Storage Layer.

  • Designer Cloud Powered by Trifacta Enterprise Edition must be configured to use IAM roles through the temporary credential provider mechanism for per-user authentication to AWS. See above.

  • A userId must be matched to the identifier that is used within the enterprise infrastructure to define S3 access.

  • If you are running jobs on EMR, EMR 5.29.0 and later is supported.

Note

After enabling the use of session tags, you must spin up a new EMR cluster, which forces EMR to use the newly deployed credential provider JAR file.

Specify general Hadoop bundle JAR file

This feature requires that you deploy the generic Hadoop bundle JAR file for use when running Spark jobs. Version-specific bundle JARs, which are used by default, do not have the latest AWS SDK binaries, which are required for this feature. There are no functional issues with using the generic bundle JAR, which includes these binaries.

Please complete the following steps.

Steps:

  1. You can apply this change through the Admin Settings Page (recommended) or trifacta-conf.json. For more information, see Platform Configuration Methods.

  2. Locate the following parameter and set it to the value listed below:

    "hadoopBundleJar": "hadoop-deps/generic-hadoop/build/libs/generic-hadoop-bundle.jar"

  3. Save your changes and restart the platform.

Modify IAM policy

The IAM policy used for S3 access must be modified to include the request permissions. When using session tags, any trust policies must have the sts:TagSession permission. Below, the previous policy has been modified to include the required elements:

Note

The sts:TagSession permission must be added to all IAM roles that are used to connect to S3 or S3-related resources.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
        "arn:aws:iam::<awsAccountId>:role/instanceRole"
        ]
      },
      "Action": [
        "sts:AssumeRole",
        "sts:TagSession"
      ]
    }
  ]
}

Enable

When the above change has been applied, you can enable the feature.

Steps:

  1. You apply this change through the Workspace Settings Page. For more information, see Platform Configuration Methods.

  2. Locate the following setting, and set it to Enabled:

    Session Tags: Enable the use of session tags when assuming an IAM Role

  3. In the following setting, specify the value that the Trifacta Application should insert for the tag when requesting AWS resources:

    Session Tags: The name of the session tag that holds the username as its value

  4. A restart is not required.

Note

Users should log out and login again to experience the changes in permissions due to the session tags.

User Access

After per-user authentication has been enabled, each user must provide or be provided the credentials and S3 bucket to use.

Users can insert a default S3 bucket and credentials to use in their profiles. SeeConfigure Your Access to S3.

In this section: