AWS IAM policies
A policy in AWS IAM declares a set of permissions on a specific AWS resource. After creating a policy, you need to attach it to an IAM role or user. As such, the IAM role or user is assigned the permissions declared in the policy to access the specified AWS resource.
Different operations in CelerData require you to have access permissions on different AWS resources, and therefore you need to configure different policies.
This topic provides the IAM policies that you need to configure for CelerData to integrate with different AWS resources in various business scenarios when you choose the instance profile, assumed role, or IAM user-based authentication method.
Batch load data from AWS S3
If you want to load data from your S3 bucket, configure the following IAM policy:
NOTICE
Replace
<bucket_name>in the following JSON policy template with the name of your S3 bucket that stores your data files.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "s3",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::<bucket_name>/*"
]
},
{
"Sid": "s3list",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<bucket_name>"
]
}
]
}
Read/write AWS S3
If you want to query data from your S3 bucket, configure the following IAM policy:
NOTICE
Replace
<bucket_name>in the following JSON policy template with the name of your S3 bucket that stores your data files.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "s3",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::<bucket_name>/*"
]
},
{
"Sid": "s3list",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<bucket_name>"
]
}
]
}
Integrate with AWS Glue
If you want to integrate with your AWS Glue Data Catalog, configure the following IAM policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:BatchCreatePartition",
"glue:UpdateDatabase",
"glue:GetConnections",
"glue:CreateTable",
"glue:DeleteDatabase",
"glue:BatchUpdatePartition",
"glue:GetTables",
"glue:GetTableVersions",
"glue:GetPartitions",
"glue:UpdateTable",
"glue:BatchGetPartition",
"glue:DeleteTable",
"glue:GetDatabases",
"glue:GetDevEndpoint",
"glue:GetTable",
"glue:GetDatabase",
"glue:GetPartition",
"glue:GetDevEndpoints",
"glue:GetConnection",
"glue:CreateDatabase",
"glue:CreatePartition",
"glue:DeletePartition",
"glue:UpdatePartition"
],
"Resource": [
"*"
]
}
]
}
Create a data credential
When creating a CelerData cluster, you need to attach the following IAM policy to the data credential role. You can directly copy the policy from the IAM policy information field in the Data credential section.
NOTICE
Replace
<s3-bucket-name>in the following JSON policy template with the name of your S3 bucket used to store query profiles.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutBucketCORS",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::<s3-bucket-name>"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::<s3-bucket-name>/*"
}
]
}
Create a deployment credential
When creating a CelerData cluster, you need to attach the following IAM policy to the deployment credential role. You can directly copy the policy from the IAM policy information field in the Deployment credential section after clicking Generate policy.
NOTICE
In the following JSON policy template, replace
<Storage Role ARN>with the ARN of the data credential role and<s3-bucket-name>with the name of the data credential bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume",
"ec2:DetachVolume",
"ec2:AttachVolume",
"ec2:DeleteVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/CelerdataManaged": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/CelerdataManaged": "true"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:subnet/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": "arn:aws:ec2:*:*:placement-group/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/CelerdataManaged": "true"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": "RunInstances"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:*:*:placement-group/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreatePlacementGroup"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:placement-group/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/CelerdataManaged": "true"
},
"ForAllValues:StringNotEquals": {
"aws:TagKeys": "CelerdataManaged"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:DeleteTags",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:placement-group/*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/CelerdataManaged": "true"
},
"ForAllValues:StringNotEquals": {
"aws:TagKeys": "CelerdataManaged"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:DeletePlacementGroup",
"Resource": "arn:aws:ec2:*:*:placement-group/*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/CelerdataManaged": "true"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:CreatePlacementGroup",
"Resource": "arn:aws:ec2:*:*:placement-group/*",
"Condition": {
"StringEquals": {
"aws:RequestTag/CelerdataManaged": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/CelerdataManaged": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:ModifyListenerAttributes",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyListener"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
],
"Condition": {
"StringEquals": {
"elasticloadbalancing:ResourceTag/CelerdataManaged": "true"
}
}
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:AddTags",
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*"
]
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:AddTags",
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*"
],
"Condition": {
"StringEquals": {
"elasticloadbalancing:ResourceTag/CelerdataManaged": "true"
},
"ForAllValues:StringNotEquals": {
"aws:TagKeys": "CelerdataManaged"
}
}
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:RemoveTags",
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*"
],
"Condition": {
"StringEquals": {
"elasticloadbalancing:ResourceTag/CelerdataManaged": "true"
},
"ForAllValues:StringNotEquals": {
"aws:TagKeys": "CelerdataManaged"
}
}
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribePlacementGroups",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications",
"ec2:DescribePrefixLists",
"ec2:DescribeRouteTables",
"ec2:DescribeInternetGateways",
"ec2:DescribeAddresses",
"ec2:DescribeAccountAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTargetGroups"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"<Storage Role ARN>"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::<s3-bucket-name>"
}
]
}