Cloudera Docs

Configuring Knox IDBroker session policies for AWS credentials

Learn how to configure Knox IDBroker session policies to restrict permissions for temporary AWS credentials.

Knox IDBroker can be configured with AWS session policies to modify the permissions associated with an IAM role when temporary cloud credentials are requested. These session policies are handled by Amazon STS and define a policy that is the intersection of the role and session policies.

Configure IDBroker session policies using Cloudera Manager to manage them centrally across IDBroker instances. This ensures that the policy definitions are persistent across restarts, upgrades, and other events.

  1. In Cloudera Manager, select the Knox service.
  2. Go to the Configuration tab.
  3. Find the Knox IDBroker Advanced Configuration Snippet (Safety Valve) for conf/cdp-resources.xml advanced configuration snippet.
  4. Click the + icon to add the sessionPolicyTemplate:[***POLICY NAME***] property and its specific values.

    Replace [***POLICY NAME***] with the actual policy name of your session policy template.

    Figure 1. Knox IDBroker Advanced Configuration Snippet (Safety Valve) for conf/cdp-resources.xml


  5. Click the Save Changes(CTRL+S) button.
  6. Refresh the Knox instances configuration by clicking the Stale Configuration: Refresh needed indicator and wait until the refresh process completes.