Skip to content

Multiple AWS IAM Role Support in Dataserver#

Dataserver supports configurable IAM Role which will be assumed to send the request to AWS including in bucket level.

User wants to run Spark queries in Databricks to query data available in buckets which are in multiple AWS accounts.

Mutliple IAM role support in Dataserver will solve the problem by mapping buckets into specific IAM roles.

For each query, Privacera Dataserver will -

  1. Extract bucketName from the request.

  2. Find the IAM Role to be assumed from the JSON mapping.

  3. Get temporary credentials for the IAM Role to be assumed and send the request.

The following are the steps to configure IAM role.

  1. SSH to EC2 instance where Privacera Dataserver is installed.

  2. Enable multi-account access in Privacera Dataserver. Click the tab to reveal steps for Privacera Manager CLI and UI.

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.dataserver.aws.yml config/custom-vars/
    vi config/custom-vars/vars.dataserver.aws.yml
    

    Add the new property.

    DATASERVER_AWS_MULTI_ACCOUNT_ACCESS_ENABLE: "true"
    
    1. On the PM UI, do one of the following:

      If you're on the Setup Environment page, navigate to the Setup Access Manager > Configure Data Access Server > Custom tab.

      Or

      If you're on the PM UI Dashboard, navigate to Data Access Server > Config tab > Custom tab.

    2. Click Add Custom Property, and enter a property name as DATASERVER_AWS_MULTI_ACCOUNT_ACCESS_ENABLE and its value as true.

    3. Select the property type as Text.

    4. Click Add.

  3. Update Security config JSON with default IAM role.

    vi ~/privacera/docker/dataserver/conf/priv_security_config.json
    

    The Dataserver will use the above 'DefaultRole' to authenticate all AWS services.

    {
      "DefaultRole": "arn:aws:iam::123456654321:role/DefaultRole"
    }
    
  4. If you want to configure IAM role per bucket, then update the Security config as below:

    {
      "DefaultRole": "arn:aws:iam::123456654321:role/DefaultRole",
      "RoleMappings": [
        {
          "Role": "arn:aws:iam::123456789012:role/RoleA",
          "BucketNames": [
            "bucketA",
            "bucketB"
          ]
        },
        {
          "Role": "arn:aws:iam::987654321012:role/RoleB",
          "BucketNames": [
            "buck*",
          ]
        }
      ]
    }
    

    Note

    • The above role-bucket mapping applicable only for AWS S3 service and not applicable for other AWS services. To authenticate other AWS services, Dataserver will always use 'DefaultRole'.

    • Wildcards are supported while specifying bucket names in the mapping. For example, buck*.

  5. Update Privacera Manager. Click the tab to reveal steps for Privacera Manager CLI and UI.

    Run the following command.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

    On the PM UI, do one of the following:

    If you're on the Setup Environment page, go to the Install and then click Install & Start Services.

    Or

    If you're on the PM UI Dashboard, navigate to System Settings > Install and then click Install & Start Services.

  6. Set assume role permission for Dataserver Instance Role in AWS console.

    • The IAM role used for Privacera Dataserver instance will be used to assume other roles. Hence, this IAM role (instance IAM role) should have permissions to assume other roles (IAM roles configured in Security config JSON ) which can be given from AWS Console.

    • Login to AWS console and go to IAM Service and then click Roles.

    • Select Privacera Dataserver Role* and edit the existing or Add New Policy.

    • Enter the below statement.

      {
      "Version": "2012-10-17",
      "Statement": [
          {
          "Sid": "VisualEditor0",
          "Effect": "Allow",
          "Action": "sts:AssumeRole",
          "Resource": [
              "arn:aws:iam::123456789012:role/RoleA",
              "arn:aws:iam::987654321012:role/RoleB",
              "arn:aws:iam::123456654321:role/DefaultRole"
          ]
          }
      ]
      }
      
  7. Each IAM Role which is added above needs to have trust on the IAM role attached to your Privacera Dataserver (e.g. arn:aws:iam::999999999999:role/PRIV_DATASERVER_ROLE).

    • Go to IAM Service and click Roles.

    • Select your IAM Role and edit Trust Relationship.

    • Enter the below statement.

      {
      "Version": "2012-10-17",
      "Statement": [
          {
          "Effect": "Allow",
          "Principal": {
              "AWS": [
              "arn:aws:iam::999999999999:role/PRIV_DATASERVER_ROLE"
              ]
          },
          "Action": "sts:AssumeRole"
          }
      ]
      }
      
  8. If you are still facing issues, below are steps to enable ​debug logs​ in Dataserver, this will give you a better idea and help in resolving issue faster.

    vi ~/privacera/docker/dataserver/conf/log4j2.xml
    
    #Change line number 40 to below
    <Logger name="com.privacera" level="debug" additivity="false">
    
    • Restart the Dataserver.

      Run the following command.

      ./privacera-manager.sh restart dataserver
      

      On the PM UI, do following:

      In the Dashboard, navigate to Privacera Services > Data Access Server and then click Restart Service.

    • Check the Dataserver Log File.

      ~/privacera/docker/logs/privacera/dataserver/dataserver.log
    

Last update: September 15, 2021