Skip to main content

Bring Your Own Project Store

To enable secure access between Dremio and your AWS environment, you must create an AWS Identity and Access Management (IAM) role with specific permissions and a trust relationship that allows Dremio’s AWS account to assume that role. The IAM policy and trust configuration are detailed bellow.

Create Your IAM Role

You will create an IAM Role in your AWS account that grants Dremio the permissions it needs to access your S3 bucket.

Attach the following policy to the role and replace <bucket-name> with the name of your own S3 bucket.

IAM Policy 
{
   "Version": "2012-10-17",
   "Statement": [
       {
           "Effect": "Allow",
           "Action": [
               "s3:GetBucketLocation",
               "s3:ListAllMyBuckets"
           ],
           "Resource": "*"
       },
       {
           "Effect": "Allow",
           "Action": [
               "s3:PutObject",
               "s3:GetObject",
               "s3:ListBucket",
               "s3:DeleteObject"
           ],
           "Resource": [
               "arn:aws:s3:::<bucket-name>",
               "arn:aws:s3:::<bucket-name>/*"
           ]
       }
   ]
}

The first statement allows Dremio to find buckets in your account.

  • ListAllMyBuckets – Allow Dremio to discover your buckets when validating connectivity.
  • GetBucketLocation - Allow Dremio to discover your bucket's location.

The second statement allows Dremio to work with the data in your bucket.

  • PutObject / GetObject / DeleteObject – Allow Dremio to read, write, and delete data within the bucket.
  • ListBucket – Allow Dremio to enumerate objects in the bucket.

Define the Trust Relationship

The trust relationship determines which AWS account (in this case, Dremio’s) is permitted to assume your IAM role.

Attach the following policy to the role.

Dremio's US trust account ID is 894535543691.

Trust Relationship 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::894535543691:root"
      },
      "Action": [
        "sts:AssumeRole",
        "sts:TagSession"
      ]
    }
  ]
}
  • AssumeRole - Allows Dremio to assume the provided role.
  • TagSession - Allows Dremio to pass identifying tags during role assumption, enabling improved tracking and auditing across accounts.

Validate Role Configuration

  1. In the AWS Console, navigate to IAM → Roles → [Your Role Name].

  2. Confirm that:

    • The permissions policy matches the example above.
    • The trust relationship allows the Dremio AWS account as the trusted principal.
    • Both sts:AssumeRole and sts:TagSession actions are present.

  3. If Dremio provided an AWS account ID or specific region endpoint, ensure these match your configuration.

Provide Role ARN to Dremio

Once your role is created and validated:

  • Copy the Role ARN (e.g. arn:aws:iam::<your-account-id>:role/<role-name>).

  • Provide this ARN to Dremio via the Create Project flow.

This allows Dremio to assume the role securely and begin reading/writing data to your S3 bucket.

To enhance security and keep data traffic within AWS’s private network, Dremio supports integration via AWS PrivateLink with DNS-based endpoint resolution.

To enable:

  • Ensure your AWS environment has PrivateLink endpoints configured for the required services.

  • Verify that DNS resolution is enabled so that Dremio can route traffic to your private endpoints.

  • Confirm connectivity by testing the endpoint using your VPC configuration.