Create the restricted policies and attach them to the CDP cross-account role

Update the environment role to use the Data Hub and Compute restricted policies. You can do this during the environment-creation process or before you enable the environment.

To enable the DataFlow experience after the environment has been created, the Administrator needs to attach the Compute Restricted IAM policy and the Data Hub restricted policy with the CDP cross-account role associated with the environment.

  1. Go to the Environments page.
  2. In the Create Cross-account Access Policy field, attach the Compute Restricted IAM policy.
    1. Replace the following placeholders in the JSON file:
      • [YOUR-ACCOUNT-ID] with your account ID in use.
      • [YOUR-IAM-ROLE-NAME] with the IAM restricted role associated with this policy.
      • [YOUR-SUBNET-ARN-*] supplied during the CDP Environment(s) creation.
      • [YOUR-IDBROKER-ROLE-NAME] with the ID Broker Role name in use.
      • [YOUR-LOG-ROLE-NAME] with the Log Role name in use.
      • [YOUR-KMS-CUSTOMER-MANAGED-KEY-ARN] with KMS key ARN.
    2. Paste the following Compute Restricted IAM policy.
      
      {
         "Version":"2012-10-17",
         "Id":"ComputePolicy_v5",
         "Statement":[
            {
               "Sid":"SimulatePrincipalPolicy",
               "Effect":"Allow",
               "Action":[
                  "iam:SimulatePrincipalPolicy"
               ],
               "Resource":[
                  "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/[YOUR-IAM-ROLE-NAME]"
               ]
            },
            {
               "Sid":"RestrictedPermissionsViaClouderaRequestTag",
               "Effect":"Allow",
               "Action":[
                  "cloudformation:CreateStack",
                  "cloudformation:CreateChangeSet",
                  "ec2:createTags",
                  "eks:TagResource"
               ],
               "Resource":"*",
               "Condition":{
                  "StringLike":{
                     "aws:RequestTag/Cloudera-Resource-Name":[
                        "crn:cdp:*"
                     ]
                  }
               }
            },
            {
               "Sid":"RestrictedPermissionsViaClouderaResourceTag",
               "Effect":"Allow",
               "Action":[
                  "autoscaling:DetachInstances",
                  "autoscaling:ResumeProcesses",
                  "autoscaling:SetDesiredCapacity",
                  "autoscaling:SuspendProcesses",
                  "autoscaling:UpdateAutoScalingGroup",
                  "autoscaling:DeleteTags",
                  "autoscaling:TerminateInstanceInAutoScalingGroup",
                  "cloudformation:DeleteStack",
                  "cloudformation:DescribeStacks"
               ],
               "Resource":"*",
               "Condition":{
                  "StringLike":{
                     "aws:ResourceTag/Cloudera-Resource-Name":[
                        "crn:cdp:*"
                     ]
                  }
               }
            },
            {
               "Sid":"RestrictedPermissionsViaCloudFormation",
               "Effect":"Allow",
               "Action":[
                  "ec2:CreateSecurityGroup",
                  "ec2:DeleteSecurityGroup",
                  "ec2:AuthorizeSecurityGroupIngress",
                  "ec2:RevokeSecurityGroupIngress",
                  "ec2:AuthorizeSecurityGroupEgress",
                  "ec2:RevokeSecurityGroupEgress",
                  "ec2:CreateLaunchTemplate",
                  "ec2:DeleteLaunchTemplate",
                  "autoscaling:CreateAutoScalingGroup",
                  "autoscaling:DeleteAutoScalingGroup",
                  "autoscaling:CreateOrUpdateTags",
                  "autoscaling:CreateLaunchConfiguration",
                  "eks:CreateCluster",
                  "eks:DeleteCluster"
               ],
               "Resource":"*",
               "Condition":{
                  "ForAnyValue:StringEquals":{
                     "aws:CalledVia":[
                        "cloudformation.amazonaws.com"
                     ]
                  }
               }
            },
            {
               "Sid":"RestrictedEC2PermissionsViaClouderaResourceTag",
               "Effect":"Allow",
               "Action":[
                  "ec2:RebootInstances",
                  "ec2:StartInstances",
                  "ec2:StopInstances",
                  "ec2:TerminateInstances"
               ],
               "Resource":[
                  "*"
               ],
               "Condition":{
                  "ForAnyValue:StringLike":{
                     "ec2:ResourceTag/Cloudera-Resource-Name":[
                        "crn:cdp:*"
                     ]
                  }
               }
            },
            {
               "Sid":"RestrictedIamPermissionsToClouderaResources",
               "Effect":"Allow",
               "Action":[
                  "iam:PassRole"
               ],
               "Resource":[
                  "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/[YOUR-IDBROKER-ROLE-NAME]",
                  "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/[YOUR-LOG-ROLE-NAME]",
                  "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/liftie-*-eks-service-role",
                  "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/liftie-*-eks-worker-nodes",
                  "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/cdp-eks-master-role",
                  "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/cdp-liftie-instance-profile"
               ]
            },
            {
               "Sid":"RestrictedKMSPermissionsUsingCustomerProvidedKey",
               "Effect":"Allow",
               "Action":[
                  "kms:CreateGrant",
                  "kms:DescribeKey",
                  "kms:Encrypt",
                  "kms:Decrypt",
                  "kms:ReEncrypt*",
                  "kms:GenerateDataKey*"
               ],
               "Resource":[
                  "[YOUR-KMS-CUSTOMER-MANAGED-KEY-ARN]"
               ]
            },
            {
                "Sid": "AllowCreateDeleteTagsForSubnets",
                "Effect": "Allow",
                "Action": [
                  "ec2:CreateTags",
                  "ec2:DeleteTags"
                ],
                "Resource": [
                    "[YOUR-SUBNET-ARN-1]",
                    "[YOUR-SUBNET-ARN-2]"
                    ....    
                ]
            },
            {
               "Sid":"OtherPermissions",
               "Effect":"Allow",
               "Action":[
                  "autoscaling:DescribeScheduledActions",
                  "autoscaling:DescribeAutoScalingGroups",
                  "autoscaling:DescribeAutoScalingInstances",
                  "autoscaling:DescribeTags",
                  "autoscaling:DescribeLaunchConfigurations",
                  "autoscaling:DeleteLaunchConfiguration",
                  "autoscaling:DescribeScalingActivities",
                  "cloudformation:DescribeChangeSet",
                  "cloudformation:DeleteChangeSet",
                  "cloudformation:ExecuteChangeSet",
                  "cloudformation:CancelUpdateStack",
                  "cloudformation:ContinueUpdateRollback",
                  "cloudformation:DescribeStackEvents",
                  "cloudformation:DescribeStackResource",
                  "cloudformation:DescribeStackResources",
                  "cloudwatch:deleteAlarms",
                  "cloudwatch:putMetricAlarm",
                  "dynamodb:DescribeTable",
                  "ec2:AttachVolume",
                  "ec2:CreateNetworkInterface",
                  "ec2:CreatePlacementGroup",
                  "ec2:CreateVolume",
                  "ec2:DeleteKeyPair",
                  "ec2:DeleteNetworkInterface",
                  "ec2:DeletePlacementGroup",
                  "ec2:DeleteVolume",
                  "ec2:DescribeAccountAttributes",
                  "ec2:DescribeAvailabilityZones",
                  "ec2:DescribeImages",
                  "ec2:DescribeInstanceStatus",
                  "ec2:DescribeInstances",
                  "ec2:DescribeInstanceTypes",
                  "ec2:DescribeKeyPairs",
                  "ec2:DescribeLaunchTemplateVersions",
                  "ec2:DescribeLaunchTemplates",
                  "ec2:DescribeNetworkInterfaces",
                  "ec2:DescribePlacementGroups",
                  "ec2:DescribeRegions",
                  "ec2:DescribeRouteTables",
                  "ec2:DescribeSecurityGroups",
                  "ec2:DescribeSubnets",
                  "ec2:DescribeVolumes",
                  "ec2:DescribeVpcAttribute",
                  "ec2:DescribeVpcs",
                  "ec2:ImportKeyPair",
                  "ec2:RunInstances",
                  "ec2:ModifyInstanceAttribute",
                  "ec2:CreateLaunchTemplateVersion",
                  "eks:DescribeCluster",
                  "eks:ListUpdates",
                  "eks:UpdateClusterConfig",
                  "eks:UpdateClusterVersion",
                  "eks:DescribeUpdate",
                  "elasticloadbalancing:DescribeLoadBalancers",
                  "iam:GetRole",
                  "iam:ListRoles",
                  "iam:GetRolePolicy",
                  "iam:GetInstanceProfile",
                  "iam:ListInstanceProfiles",
                  "iam:ListRoleTags",
                  "iam:RemoveRoleFromInstanceProfile",
                  "iam:TagRole",
                  "iam:UntagRole"
               ],
               "Resource":[
                  "*"
               ]
            },
            {
               "Sid":"CfDeny",
               "Effect":"Deny",
               "Action":[
                  "cloudformation:*"
               ],
               "Resource":[
                  "*"
               ],
               "Condition":{
                  "ForAnyValue:StringLike":{
                     "cloudformation:ImportResourceTypes":[
                        "*"
                     ]
                  }
               }
            },
            {
               "Sid":"ForAutoscalingLinkedRole",
               "Effect":"Allow",
               "Action":[
                  "iam:CreateServiceLinkedRole"
               ],
               "Resource":[
                  "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/aws-service-role/autoscaling-plans.amazonaws.com/AWSServiceRoleForAutoScalingPlans_EC2AutoScaling"
               ],
               "Condition":{
                  "StringLike":{
                     "iam:AWSServiceName":"autoscaling-plans.amazonaws.com"
                  }
               }
            },
            {
               "Sid":"ForEksLinkedRole",
               "Effect":"Allow",
               "Action":[
                  "iam:CreateServiceLinkedRole"
               ],
               "Resource":[
                  "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForEKS"
               ],
               "Condition":{
                  "StringLike":{
                     "iam:AWSServiceName":"eks.amazonaws.com"
                  }
               }
            }
         ]
      } 
         
  3. Do the following to support the Customer Managed Key (CMK):
    1. Provide the KMS CMK for volume encryption in the policy section with Sid: RestrictedKMSPermissionsUsingCustomerProvidedKey
    2. Verify that the policy (different from IAM policy) for CMK at KMS has the following two permissions blocks defined for AWSServiceRoleForAutoScaling:
       {
                  "Sid": "Allow Autoscaling service-linked role for attachment of persistent resources",
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
                  },
                  "Action": "kms:CreateGrant",
                  "Resource": "*",
                  "Condition": {
                      "Bool": {
                          "kms:GrantIsForAWSResource": "true"
                      }
                  }
              },
              {
                  "Sid": "Allow Autoscaling service-linked role use of the CMK",
                  "Effect": "Allow",
                  "Principal": {
                      "AWS": "arn:aws:iam::[YOUR-ACCOUNT-ID]:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
                  },
                  "Action": [
                      "kms:Encrypt",
                      "kms:Decrypt",
                      "kms:ReEncrypt*",
                      "kms:GenerateDataKey*",
                      "kms:DescribeKey"
                  ],
                  "Resource": "*"
              }
      The following image of the KMS page shows the CMK with the permissions section of the policy:
  4. In the Create Cross-account Access Role section, associate the cross-account access role with the Compute Restricted IAM policy.
  5. Click Create Credential.
  6. Repeat the steps to add the Data Hub restricted policy.
    Copy the following Data Hub restricted policy in the Create Cross-account Access Policy field:
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:DeleteTags",
                    "ec2:AssociateAddress",
                    "ec2:StartInstances",
                    "ec2:StopInstances",
                    "ec2:AttachVolume",
                    "ec2:DescribeAddresses",
                    "ec2:TerminateInstances",
                    "ec2:DeleteSecurityGroup"
                ],
                "Resource": "*",
                "Condition": {
                    "StringLike": {
                        "ec2:ResourceTag/Cloudera-Resource-Name": [
                            "crn:cdp:*"
                        ]
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": [
                    "cloudformation:DeleteStack",
                    "autoscaling:SuspendProcesses",
                    "autoscaling:UpdateAutoScalingGroup",
                    "autoscaling:ResumeProcesses",
                    "autoscaling:DetachInstances",
                    "autoscaling:DeleteAutoScalingGroup",
                    "rds:StopDBInstance",
                    "rds:StartDBInstance"
                ],
                "Resource": "*",
                "Condition": {
                    "StringLike": {
                        "aws:ResourceTag/Cloudera-Resource-Name": [
                            "crn:cdp:*"
                        ]
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": [
                    "cloudformation:CreateStack",
                    "cloudformation:GetTemplate",
                    "ec2:CreateTags"
                ],
                "Resource": [
                    "*"
                ],
                "Condition": {
                    "StringLike": {
                        "aws:RequestTag/Cloudera-Resource-Name": [
                            "crn:cdp:*"
                        ]
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:DeleteVolume",
                    "ec2:CreateSecurityGroup",
                    "ec2:DeleteKeyPair",
                    "ec2:DescribeKeyPairs",
                    "ec2:DescribeAvailabilityZones",
                    "ec2:DescribeImages",
                    "ec2:DeleteLaunchTemplate",
                    "ec2:DescribeVolumes",
                    "ec2:CreateVolume",
                    "ec2:DescribeInstances",
                    "ec2:DescribeRegions",
                    "ec2:DescribeInstanceTypeOfferings",
                    "ec2:DescribeInstanceTypes",
                    "ec2:DescribeRouteTables",
                    "ec2:DescribeSecurityGroups",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeVpcAttribute",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeInternetGateways",
                    "ec2:DescribeVpcEndpoints",
                    "ec2:describeAddresses",
                    "ec2:DescribeNatGateways",
                    "ec2:DescribeVpcEndpointServices",
                    "ec2:ModifySubnetAttribute",
                    "ec2:ModifyVpcAttribute",
                    "ec2:CreatePlacementGroup",
                    "ec2:DescribePlacementGroups",
                    "ec2:ImportKeyPair",
                    "ec2:DescribeLaunchTemplates",
                    "ec2:CreateLaunchTemplate",
                    "ec2:RunInstances",
                    "ec2:DescribeAccountAttributes",
                    "sts:DecodeAuthorizationMessage",
                    "cloudformation:DescribeStacks",
                    "dynamodb:DeleteTable",
                    "dynamodb:DescribeTable",
                    "iam:ListInstanceProfiles",
                    "iam:ListRoles",
                    "dynamodb:ListTables",
                    "autoscaling:DescribeAutoScalingGroups",
                    "autoscaling:DescribeScalingActivities",
                    "autoscaling:CreateAutoScalingGroup",
                    "autoscaling:TerminateInstanceInAutoScalingGroup",
                    "cloudwatch:DeleteAlarms",
                    "cloudwatch:PutMetricAlarm",
                    "cloudwatch:DescribeAlarms",
                    "elasticloadbalancing:CreateLoadBalancer",
                    "elasticloadbalancing:CreateTargetGroup",
                    "elasticloadbalancing:DescribeLoadBalancers",
                    "elasticloadbalancing:DescribeTargetGroups",
                    "elasticloadbalancing:AddTags",
                    "elasticloadbalancing:RegisterTargets",
                    "elasticloadbalancing:DescribeTargetHealth",
                    "elasticloadbalancing:DescribeListeners",
                    "elasticloadbalancing:CreateListener",
                    "elasticloadbalancing:DeleteListener",
                    "elasticloadbalancing:DeleteTargetGroup",
                    "elasticloadbalancing:DeleteLoadBalancer",
                    "elasticloadbalancing:DeregisterTargets",
                    "s3:GetBucketLocation",
                    "cloudformation:DescribeStackEvents",
                    "cloudformation:DescribeStackResources",
                    "cloudformation:DescribeStackResource",
                    "cloudformation:ListStackResources",
                    "cloudformation:UpdateStack",
                    "cloudformation:GetTemplate",
                    "iam:GetInstanceProfile",
                    "iam:SimulatePrincipalPolicy",
                    "iam:GetRole",
                    "rds:AddTagsToResource",
                    "rds:CreateDBInstance",
                    "rds:CreateDBSubnetGroup",
                    "rds:DeleteDBInstance",
                    "rds:DeleteDBSubnetGroup",
                    "rds:ListTagsForResource",
                    "rds:RemoveTagsFromResource",
                    "rds:CreateDBParameterGroup",
                    "rds:DeleteDBParameterGroup",
                    "rds:DescribeEngineDefaultParameters",
                    "rds:ModifyDBParameterGroup",
                    "rds:DescribeDBParameters",
                    "rds:DescribeDBParameterGroups",
                    "rds:DescribeDBSubnetGroups",
                    "rds:DescribeDBInstances",
                    "rds:ModifyDBInstance",
                    "rds:DescribeCertificates",
                    "kms:ListKeys",
                    "kms:ListAliases",
                    "ec2:ModifyInstanceAttribute",
                    "ec2:CreateLaunchTemplateVersion"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "iam:PassRole"
                ],
                "Resource": [
                    "arn:aws:iam::786612593866:instance-profile/DFX-PM_IDBROKER_ROLE"
                ]
            },
            {
                "Sid": "IdentityAccessManagementLimited",
                "Action": [
                    "iam:CreateServiceLinkedRole"
                ],
                "Effect": "Allow",
                "Resource": [
                    "arn:aws:iam::*:role/aws-service-role/*"
                ]
            }
        ]
    }