AWS restricted policy
As Administrator, you must include the AWS restricted policy in your IAM role to limit access to the environment. You must include this policy before you activate the environment in Cloudera Data Warehouse.
- Attach the AWS restricted policy described below to your cross-account role.
- Add ARNs to the role or a new sid with appropriate permissions to the AWS restricted
policy.
For more information see "RAZ-enabled Data Lake restricted policy" below.
Attaching the policy to your cross-account role
- In the AWS management console, find the Cross-account IAM role you created.
- Go to the following Github links to get the restricted policy files
without comments:
- Restricted policy file 1
- Restricted policy file 2For your information, you can get a commented version of each file that explains each line in the policy.
- Attach the policies to your IAM role.
- In the Restricted policy file1 without comments, replace ${DATALAKE_BUCKET} with the name of your S3 bucket. For example my-bucket.
- Attach both restricted policy file 1 and restricted policy file 2 without comments to your IAM role.
Do not attempt to attach the policy files with comments as this would cause an error.
RAZ-enabled Data Lake restricted policy
- File 1 Append ARNs to role: To your cross-account restricted policy, in the
existing
sid "AttachRole
", append all policy ARNs attached to the RAZ role. - File 2 Add a new sid: Add
"AttachRAZPolicyToNodeInstance"
to the cross-account json policy
File 1 append ARNs to role
Append all the cross-account policy ARNS attached to the RAZ role to the sid key "AttachRole" value in your cross-account restricted policy.
{
"Sid": "AttachRole",
"Effect": "Allow",
"Action": "iam:AttachRolePolicy",
"Resource": [
"arn:aws:iam::*:role/env-*-dwx-stack-EKSServiceRole-*",
"arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*"
],
"Condition": {
"ForAnyValue:ArnEqualsIfExists": {
"iam:PolicyARN": [
"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
"arn:aws:iam::aws:policy/AmazonEKSServicePolicy",
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
"arn:aws:iam::aws:policy/CloudWatchAgentAdminPolicy"
...
]
}
}
}
Replace the ellipsis … placeholder above with all policy ARNs attached to the RAZ role as shown in the example below. See IAM policy definitions for more information about these policies.
arn:aws:iam::1234567:policy/aws-cdp-datalake-admin-s3-policy
arn:aws:iam::1234567:policy/aws-cdp-bucket-access-policy
arn:aws:iam::1234567:policy/aws-datalake-backup-policy
arn:aws:iam::1234567:policy/aws-datalake-restore-policy
File 2 Add sid to policy
Add the new sid "AttachRAZPolicyToNodeInstance"
value to the
cross-account json policy.
${ANY_WILDCARD_REGEX}
Use the pattern
as a value for the key "iam:PolicyARN"
as shown in the example below:Example policies attached to the RAZ/Data Lake Admin role
arn:aws:iam::1234567:policy/cdp-dev-datalake-admin-s3-policy
arn:aws:iam::1234567:policy/cdp-dev-datalake-bucket-access-policy
arn:aws:iam::1234567:policy/cdp-dev-datalake-backup-policy
arn:aws:iam::1234567:policy/cdp-dev-datalake-restore-policy
The regex is "arn:aws:iam::1234567:policy/cdp-dev-datalake*"
.
{
"Sid": "AttachRAZPolicyToNodeInstance",
"Effect": "Allow",
"Action": "iam:AttachRolePolicy",
"Resource": [
"arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*"
],
"Condition": {
"ForAnyValue:ArnLikeIfExists": {
"iam:PolicyARN": "arn:aws:iam::<AWS_ACCOUNT_ID>:policy/${ANY_WILDCARD_REGEX}"
}
}
}
For more information about using RAZ, see fine-grained access control and CDP policies documentation.