Create a database role
To configure a database role for PostgreSQL run the following commands:
CREATE role atlan_user_role;
GRANT USAGE ON SCHEMA <schema> TO atlan_user_role;
GRANT SELECT ON ALL TABLES IN SCHEMA <schema> TO atlan_user_role;- Replace
<schema>with the schema to which the user should have access.
These permissions will allow you to crawl metadata, preview and query data from within Atlan.
Choose authentication mechanism
Currently we support the following authentication mechanisms. You will need to choose one and configure it according to the steps below.
Basic authentication
To create a username and password for basic authentication for PostgreSQL run the following commands:
CREATE USER atlan_user password '<pass>';
GRANT atlan_user_role TO atlan_user;- Replace
<pass>with the password for theatlan_useruser you are creating.
Identity and Access Management (IAM) authentication
To configure IAM authentication for PostgreSQL follow each of these steps.
Enable IAM authentication
To enable IAM authentication for your database instance follow the steps in the Amazon RDS documentation.
When given the option, apply the changes immediately and wait until they are complete.
Create database user
To create a database user with the necessary permissions run the following commands:
- Connect to the database:
psql -h {{endpoint}} -U {{username}} -d {{database}}- Replace
{{endpoint}}with the database or cluster endpoint. - Replace
{{username}}with the master username (admin account) for the database. - Replace
{{database}}with the name of the database.
- Replace
- Create a database user:
CREATE USER {{db-username}} WITH LOGIN; GRANT atlan_user_role, rds_iam TO {{db-username}};- Replace
{{db-username}}with the name for the database user to create.
- Replace
Create IAM policy
To create an IAM policy with the necessary permissions follow the steps in the AWS Identity and Access Management User Guide.
Create the policy using the following JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds-db:connect"
],
"Resource": [
"arn:aws:rds-db:{{aws-region}}:{{account-id}}:dbuser:{{resource-id}}/{{db-username}}"
]
}
]
}- Replace
{{aws-region}}with the AWS region of your database instance. - Replace
{{account-id}}with your account ID. - Replace
{{resource-id}}with the resource ID. - Replace
{{db-username}}with the username created in the previous step.
Attach IAM policy
To attach the IAM policy for Atlan's use, you have two options:
- Create a new role in your AWS account and attach the policy to this user. To create an AWS IAM role:
- Follow the steps in the AWS Identity and Access Management User Guide.
- When prompted for policies, attach the policy created in the previous step to this role.
- Raise a support ticket to provide the AWS IAM role ARN to Atlan and get the ARN of the Node Instance Role for your Atlan EKS cluster from Atlan.
- When prompted, create a trust relationship for the role using the following trust policy. (Replace
<atlan_nodeinstance_role_arn>with the ARN received from Atlan support.)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {"AWS": "<atlan_nodeinstance_role_arn>"}, "Action": "sts:AssumeRole", } ] }
- Create an AWS IAM user and attach the policy to this user. To create an AWS IAM user:
- Follow the steps in the AWS Identity and Access Management User Guide.
- On the Set permissions page, attach the policy created in the previous step to this user.
- Once the user is created, view or download the user's access key ID and secret access key).
π¨ Careful! This will be your only opportunity to view or download the access keys. You will not have access to them again after leaving the user creation screen.
