IAM Role For Data Lake Access

Creating an IAM Policy For Data Lake Location

The following step-by-step instructions describe how to configure access permissions for iomete:

  • Log into your AWS Management Console
  • Go to Identity & Access Management (IAM) -> Policies -> Create Policy:
10781078

Create Policy button on Policies page

  • In the policy editor, click the JSON tab
12081208
  • Add a policy document that will allow iomete to access the S3 bucket and folder.
    The following policy (in JSON format) provides iomete with the required permissions to load or unload data using a single bucket and folder path. Copy and paste the text into the policy editor:

📘

Provide bucket and prefix of your data lake location

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
              "s3:PutObject",
              "s3:GetObject",
              "s3:GetObjectVersion",
              "s3:DeleteObject",
              "s3:DeleteObjectVersion"
            ],
            "Resource": "arn:aws:s3:::<bucket>/*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<bucket>"
        }
    ]
}

After review save it with the name: iomete_datalake_access

Create the IAM Role

In the AWS Management Console, create an AWS IAM role to grant privileges on the S3 bucket containing your data files.

  • Log into your AWS Management Console
  • Go to Identity & Access Management (IAM) -> Roles -> Create role:
996996
  • Select Another AWS account as the trusted entity type
22722272

Select Trusted Entity Page in AWS Management Console

  • In the Account ID field, enter iomete account ID: 680330367469
  • Click the Next: Permissions button.
  • Locate the policy you created in the previous step (iomete_datalake_access), and select this policy
  • Go to Review and provide a name. For example, default_iomete_access_role
  • Edit default_iomete_access_role role and switch to the Trust relationships section of the role:
11611161

Click the Edit trust relationship button and add the following JSON policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "<IAM ROLE PROVIDED BY IOMETE>" //iomete provided role will look like: arn:aws:iam::680330367469:role/dwh-master-role-frankfurt
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}
  • In the role summary, copy the Role ARN.

917917

Did this page help you?