Cloud Resources

The Cloud Resource component is a cross-account role that facilitates access to the user's S3 buckets and Glue catalog for workspace and cluster-level components.

Create Cloud Resource

1. Enter a name for your cloud resource.

2. Click on the provided link to be redirected to your AWS CloudFormation page.

3. Review the inputs on the AWS CloudFormation page and proceed by executing the script. Here are the following inputs available in AWS CloudFormation:

   1. BucketNames

   2. VPCEndpointId

   3. E6dataAccountId

   4. ExternalId

4. CloudFormation creates certain permissions when the script is executed. The following permissions are included:

   1. Lambda Permissions:

      • Creates AWS::Lambda::Permission (LambdaInvokePermission) to allow a Lambda function to execute.

   2. IAM Role for Lambda:

      • Creates an IAM role (LambdaExecutionRole) that allows the Lambda function to create IAM policies, attach them to the cross-account role, and update bucket policies.

   3. Manage Bucket Policies Lambda:

      • Deploys a Lambda function (ManageBucketPoliciesLambda) that creates bucket policies for the specified buckets (or for all buckets if * is provided). These policies allow clusters to access data via a VPC endpoint.

      • Additionally, the Lambda function creates a policy that allows the cross-account role to access the specified buckets.

   4. Custom Resource:

      • Creates a custom resource (ManageBucketPoliciesCustomResource) that triggers the Lambda function, accepting inputs such as BucketNames, VPCEndpointId, CrossAccountGlueRole, and Random.

   5. Cross-Account IAM Role:

      • Establishes a cross-account IAM role (CrossAccountGlueRole) with policies (GlueCrossAccountPolicy and e6data-cross-account-s3-policy) that grant Glue and S3 access. Roles in our account will assume this role.

5. After successful execution, the output panel of CloudFormation will display the Cross-Account IAM Role and any failed buckets. The customer needs to update the Cross-Account IAM Role in the e6data UI.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:GetObjectTagging",
        "s3:GetObjectVersion",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::<BUCKET>/*",
        "arn:aws:s3:::<BUCKET>/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::<BUCKET>",
        "arn:aws:s3:::<BUCKET>"
      ]
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "glue:GetDatabase*",
        "glue:GetTable*",
        "glue:GetPartitions"
      ],
      "Resource": "*"
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::298655976287:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "FB5441BD-CDCE-4258-A161-680434024805"
        }
      }
    }
  ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::<BUCKET>/*",
      "Condition": {
        "StringEquals": {
          "aws:SourceVpce": "<E6DATA_VPC_ENDPOINT>"
        }
      }
    }
  ]
}