How to set up PostgreSQL

πŸ€“ Who can do this? You will probably need your PostgreSQL administrator to run these commands β€” you may not have access yourself.

Create a database role

To configure a database role for PostgreSQL, run the following commands:

CREATE role atlan_user_role;
GRANT USAGE ON SCHEMA <schema> TO atlan_user_role;
GRANT SELECT ON ALL TABLES IN SCHEMA <schema> TO atlan_user_role;
  • Replace <schema> with the schema to which the user should have access.
🚨 Careful! You (or your administrator) will need to run these statements for each database and schema you want to crawl.

Atlan requires the following privileges:

  • USAGE:
    • Access a schema and fetch metadata. By default, users cannot access any objects in schemas that they do not own. The owner of a schema must grant the USAGE privilege on the schema to allow access.
    • Fetch the technical metadata persisted in the INFORMATION_SCHEMA.
  • SELECT privilege is only required for the following:
    • Tables β€” to fetch the ROW_COUNT of tables.
    • Table partitions β€” to fetch the PARTITION_STRATEGY and PARTITION_COUNT of table partitions.
    • Views β€” to fetch the VIEW_DEFINITION of views.
    • Columns β€” to fetch the following custom attributes: CHARACTER_OCTET_LENGTH, IS_IDENTITY, and IDENTITY_CYCLE.

These permissions will allow you to crawl metadata, preview and query data from within Atlan.

Choose authentication mechanism

Currently we support the following authentication mechanisms. You will need to choose one and configure it according to the steps below.

Basic authentication

To create a username and password for basic authentication for PostgreSQL run the following commands:

CREATE USER atlan_user password '<pass>';
GRANT atlan_user_role TO atlan_user;
  • Replace <pass> with the password for the atlan_user user you are creating.

Identity and Access Management (IAM) authentication

To configure IAM authentication for PostgreSQL follow each of these steps.

Enable IAM authentication

To enable IAM authentication for your database instance follow the steps in the Amazon RDS documentation.

When given the option, apply the changes immediately and wait until they are complete.

Create database user

To create a database user with the necessary permissions run the following commands:

  1. Connect to the database:
    psql -h {{endpoint}} -U {{username}} -d {{database}}
    • Replace {{endpoint}} with the database or cluster endpoint.
    • Replace {{username}} with the master username (admin account) for the database.
    • Replace {{database}} with the name of the database.
  2. Create a database user:
    CREATE USER {{db-username}} WITH LOGIN; 
    GRANT atlan_user_role, rds_iam TO {{db-username}};
    • Replace {{db-username}} with the name for the database user to create.

Create IAM policy

To create an IAM policy with the necessary permissions follow the steps in the AWS Identity and Access Management User Guide.

Create the policy using the following JSON:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "rds-db:connect"
      ],
      "Resource": [
        "arn:aws:rds-db:{{aws-region}}:{{account-id}}:dbuser:{{resource-id}}/{{db-username}}"
      ]
    }
  ]
}
  • Replace {{aws-region}} with the AWS region of your database instance.
  • Replace {{account-id}} with your account ID.
  • Replace {{resource-id}} with the resource ID.
  • Replace {{db-username}} with the username created in the previous step.

Attach IAM policy

To attach the IAM policy for Atlan's use, you have two options:

  • IAM role: Create a new role in your AWS account and attach the policy to this role. To create an AWS IAM role:
    1. Follow the steps in the AWS Identity and Access Management User Guide.
    2. When prompted for policies, attach the policy created in the previous step to this role.
    3. Raise a support ticket to provide the AWS IAM role ARN to Atlan and get the ARN of the Node Instance Role for your Atlan EKS cluster from Atlan.
    4. When prompted, create a trust relationship for the role using the following trust policy. (Replace <atlan_nodeinstance_role_arn> with the ARN received from Atlan support.)
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {"AWS": "<atlan_nodeinstance_role_arn>"},
            "Action": "sts:AssumeRole",
          }
        ]
      }
  • IAM user: Create an AWS IAM user and attach the policy to this user. To create an AWS IAM user:
    1. Follow the steps in the AWS Identity and Access Management User Guide.
    2. On the Set permissions page, attach the policy created in the previous step to this user.
    3. Once the user is created, view or download the user's access key ID and secret access key.
      🚨 Careful! This will be your only opportunity to view or download the access keys. You will not have access to them again after leaving the user creation screen.

Related articles

Was this article helpful?
1 out of 1 found this helpful