Configuring AWS IAM Permissions and IAM Roles

Prerequisites

  • AWS Account
  • Permissions to create IAM Policies and IAM Roles

In order to configure and manage Dremio projects, you need to attach an IAM role to the instance which must have a list of specific permissions. We suggest adding the following actions to the permission policy with minimum access to the resources (if they match the given condition - if any). The only condition we enforce is the use of tags (ResourceTag/RequestTag) to all the resources with the following key-value

Key: dremio_managed

Value: true

Here is the policy with the list of actions you need to add to your policy. You can replace the ( ** ) wildcards with the generalized region/account IDs. Please leave the wildcards (or the resource id from the ARN example below) as is. For more detail about the ARN fields, refer to this link or see below for an example from the same:

  • arn: partition:service:region:account-id:resource-type/resource-id

JSON policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ec2:DeleteVolume",
      "Resource": "arn:aws:ec2:***:***:volume/*",
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/dremio_managed": "true"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:AttachVolume",
        "ec2:DetachVolume",
        "ec2:ReplaceIamInstanceProfileAssociation",
        "ec2:TerminateInstances"
      ],
      "Resource": [
        "arn:aws:ec2:***:***:instance/*",
        "arn:aws:ec2:***:***:volume/*"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/dremio_managed": "true"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "ec2:DeleteSnapshot",
      "Resource": "arn:aws:ec2:***::snapshot/*",
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/dremio_managed": "true"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "elasticfilesystem:CreateMountTarget",
        "elasticfilesystem:DeleteFileSystem",
        "elasticfilesystem:DeleteMountTarget"
      ],
      "Resource": "arn:aws:elasticfilesystem:***:***:file-system/*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/dremio_managed": "true"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "elasticfilesystem:CreateFileSystem",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/dremio_managed": "true"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "ec2:CreateVolume",
      "Resource": "arn:aws:ec2:***:***:volume/*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/dremio_managed": "true"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:***:***:volume/*",
        "arn:aws:ec2:***:***:instance/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/dremio_managed": "true"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "ec2:RunInstances",
      "Resource": [
        "arn:aws:ec2:***::image/*",
        "arn:aws:ec2:***:***:network-interface/*",
        "arn:aws:ec2:***:***:security-group/*",
        "arn:aws:ec2:***:***:subnet/*",
        "arn:aws:ec2:***:***:key-pair/*",
        "arn:aws:ec2:***:***:placement-group/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": "ec2:CreateSnapshot",
      "Resource": "arn:aws:ec2:***::snapshot/*",
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/dremio_managed": "true"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "ec2:CreateSnapshot",
      "Resource": "arn:aws:ec2:***:***:volume/*",
      "Condition": {
        "StringEquals": {
          "ec2:ResourceTag/dremio_managed": "true"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "ec2:CreateTags",
      "Resource": "arn:aws:ec2:***:***:volume/*",
      "Condition": {
        "StringEquals": {
          "ec2:CreateAction": "CreateVolume"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "ec2:CreateTags",
      "Resource": "arn:aws:ec2:***::snapshot/*",
      "Condition": {
        "StringEquals": {
          "ec2:CreateAction": "CreateSnapshot"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "ec2:CreateTags",
      "Resource": [
        "arn:aws:ec2:***:***:instance/*",
        "arn:aws:ec2:***:***:volume/*"
      ],
      "Condition": {
        "StringEquals": {
          "ec2:CreateAction": "RunInstances"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterface",
        "ec2:DeleteNetworkInterface",
        "ec2:CreatePlacementGroup",
        "ec2:DeletePlacementGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeIamInstanceProfileAssociations",
        "ec2:DescribeImages",
        "ec2:DescribeInstances",
        "ec2:DescribeInstanceStatus",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribePlacementGroups",
        "ec2:DescribeSnapshots",
        "ec2:DescribeSubnets",
        "ec2:DescribeTags",
        "ec2:DescribeVolumes",
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "elasticfilesystem:DescribeFileSystems",
        "elasticfilesystem:DescribeMountTargets"
      ],
      "Resource": "arn:aws:elasticfilesystem:*:*:file-system/*"
    }
    {
      "Effect": "Allow",
      "Action": "iam:GetInstanceProfile",
      "Resource": "arn:aws:iam::***:instance-profile/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:GetPolicy",
        "iam:GetPolicyVersion"
      ],
      "Resource": "arn:aws:iam::***:policy/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:GetRolePolicy",
        "iam:ListAttachedRolePolicies",
        "iam:ListRolePolicies"
      ],
      "Resource": "arn:aws:iam::***:role/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:SimulateCustomPolicy",
        "s3:HeadBucket",
        "s3:ListAllMyBuckets"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:DeleteObject",
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::dremio-me-*/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:DeleteBucket",
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:PutBucketTagging"
      ],
      "Resource": "arn:aws:s3:::dremio-me-*"
    }
  ]
}

After the policy is created, you can create the role and attach the policy to the role. Then, you can either create another inline policy for the following actions and add your created role to the resources, or add it to the existing policy.

{

    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:PassRole"
            ],
             "Resource": "arn:aws:iam::***:role/*role-id-here*"
        }
    ]
}

Follow these steps to create the IAM role

Step 1: Log on to your AWS account and go to IAM services. From the dashboard, go to "Policies" and click “Create policy”.

Configure IAM

Step 2: Copy the entire JSON policy define above, Go to the tab "JSON" and paste in the JSON policy (leave no extra spaces at the end!). Modify as required and click “Review policy” when finished.

Configure IAM

Step 3: Add a name to the policy and click "Create policy".

Configure IAM

Step 4: Now the policy has been created, go back to the dashboard, navigate to "Roles" and click “Create role”.

Configure IAM

Step 5: Select "AWS service" and choose “EC2” from the use cases and hit next.

Configure IAM

Step 6: In the "Filter policies" tab, type in the name of the policy you just created, select the policy and click next.

Configure IAM

Step 7: Add tags if you want to add the tags to the role and hit next.

Give a name to your role and hit "Create role".

Configure IAM

Step 8: Now that the role is created, the last step is to add permissions for the Get/Pass role. Click on "Add inline policy".

Configure IAM

Step 9: Click on the "JSON" tab and paste the JSON from above. Make sure to update the role name in the resource.

Configure IAM

Step 10. Add a name to the inline policy and click "Create policy".

Configure IAM

Step 11. You have successfully created the IAM and role.

Configure IAM


Troubleshooting


If you see any of the following error messages, this means that either you are missing this action in your policy, or is not properly configured. Please verify if the resource/conditions are configured properly according to the policy described above:

  1. "You are not authorized to perform the following action(s): iam:GetRole, ec2:DeleteVolume. Please add these permissions to your IAM instance profile to continue."
  2. "You are not authorized to perform this action: Service:Action" e.g. “You are not authorized to perform this action: ec2: DeleteVolume”
  3. "If you are using the Dremio recommended IAM policy, it looks like you have not added the dremio_managed tag to this instance, which is required for that IAM policy to work. Please add the tag "dremio_managed = true" to this instance."

results matching ""

    No results matching ""