Configure Cross-account Catalog to Access AWS Hive Metastore

To connect your e6data Workspace to a Hive Metastore and S3 data source in a different cloud account, please follow the steps below:

This guide assumes:

  • the e6data Workspace (clusters/compute) is installed in a cloud account named Account A.

  • the AWS Glue metastore & S3 data stores are located in a different cloud account named Account B.

  • Both Account A & Account B are in the same AWS region.

Step 1: Create policies to access Hive & S3 data sources in Account B

  1. Sign in to the Account B AWS Console.

  2. Search for IAM.

  3. In the navigation pane, choose Roles.

  4. Click Create role.

  5. Under Select type of trusted entity, choose AWS account.

  6. Click on Another AWS account to enter the Account ID.

  7. Enter the account ID of Account A.

  8. Click Next: Permissions.

  9. Attach the below policy to the role.

  10. Replace the ARN of the S3 bucket/s containing the data.

S3 & Hive Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:GetObjectVersion"
      ],
      "Resource": [
        "arn:aws:s3:::EXAMPLE-BUCKET/*",
        "arn:aws:s3:::EXAMPLE-BUCKET"
      ],
      "Effect": "Allow"
    }
  ]
}
  • Click Next: Add tags.

  • Optional: You can add tags to the role. Or leave these fields blank, and click Next: Review.

  • Enter a Role name that follows your organization's naming convention.

  • Click Create role.

  1. Copy the ARN of the newly created role.

Step 2: Configure access in Account A

  • In Account B, copy the ARN of the role created in

  • Sign in to the Account A AWS Console.

  • Create a policy and choose the JSON view.

  • Replace the ARN with the ARN of the role created in Account B.

  • Copy & paste the edited

  • In Account A, attach the policy created in Step 3 to:

    e6data_engine_role (e6data-workspace-<workspace_name>-engine-role)

STS Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::ACCOUNT_B_ID:role/ROLENAME"
    }
  ]
}

Last updated