Creating an IAM Role for Granting Access to Compute Resources
Create an IAM role in the AWS Console as part of either of these tasks:
- Configuring compute settings when you are connecting your AWS account to Dremio Cloud manually during the sign-up process for Dremio Cloud.
- Adding a cloud to a project
Before following these steps, ensure that you have copied Dremio Cloud's policy JSON for compute settings from either of the locations listed above.
To create an IAM role for granting Dremio Cloud access to compute resources in your AWS cloud:
Prerequisites
Retrieve the following information from your Dremio account before creating an AWS IAM role. You will need the Trust Account ID and the External ID in order to successfully create the role.
- Sign in to your Dremio Cloud account.
- From the side navigation bar, click the Settings (gear) icon and select Organization Settings.
- From the Organization Settings menu, select Clouds.
- From the Clouds page, select the Cloud that you are creating the IAM role for by clicking the Edit (pencil) icon.
- In the Edit Cloud dialog box, under Compute Settings > Compute Credentials, click the drop-down menu arrow and select IAM Role.
The Trust Account ID and External ID fields will display. You will need to provide these IDs when you create the AWS IAM role.
Creating an AWS IAM Role
To create an AWS IAM role:
-
Sign in to the AWS Identity and Access Management (IAM) console.
-
From the left menu pane, under Access management, select Roles.
-
On the Roles page, click Create role.
-
On the Select trusted entity page, do the following:
Under Trusted entity type, select the radio button for AWS account.
Under An AWS account, select Another AWS account.
In the Account ID field, enter your Dremio Trust Account ID.
Under Options, select the checkbox for Require external ID.
In the External ID field, enter your Dremio External ID.
-
Click Next to go to the Add permissions page. No edits are needed to this page.
-
Click Next to go to the Name, review, and create page.
-
In the Role details section, in the Role name field, enter a name for this role.
-
Click Create Role.
To add a policy to the role:
- On the Roles page, click the Role name. Use the Search field to locate the role, if needed.
- From the role page, in the Permissions section, click Add permissions > Create inline policy.
- On the Create Policy page, click the JSON tab.
- Delete the current JSON and enter Dremio's policy JSON. The policy grants Dremio Cloud the necessary permissions to your AWS account. You can click the Copy to clipboard icon to copy and paste the policy.
- Click Review policy.
- On the Review policy page, in the Name field, enter a name for the policy.
- Click Create policy. The policy is created and you are returned to the Roles page.
- Under the Summary section, copy the role's ARN (for example,
arn:aws:iam::123456789012:role/dremiouseriamrole
) and save it in a location that you can retrieve later. You will need to provide this ARN when you are configuring your Dremio account.