How to set up AWS Glue

Have more questions? Submit a request
πŸ€“ Who can do this? You will probably need your AWS Glue administrator to run these commands β€” you may not have access yourself.
πŸ’ͺ Did you know? Prefixing all resources created for Atlan with atlan- will help you better identify them. You should also add AWS tags and descriptions to these resources for later reference.

Create IAM policy

To create an IAM policy with the necessary permissions follow the steps in the AWS Identity and Access Management User Guide.

Create the policy using the following JSON:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "glue:GetTables",
        "glue:GetDatabases",
        "glue:GetTable",
        "glue:GetDatabase",
        "glue:SearchTables",
        "glue:GetTableVersions",
        "glue:GetTableVersion",
        "glue:GetPartition",
        "glue:GetPartitions",
        "glue:GetUserDefinedFunctions",
        "glue:GetUserDefinedFunction"
      ],
      "Resource": [
        "arn:aws:glue:<region>:<account_id>:tableVersion/*/*/*",
        "arn:aws:glue:<region>:<account_id>:table/*/*",
        "arn:aws:glue:<region>:<account_id>:catalog",
        "arn:aws:glue:<region>:<account_id>:database/*"
      ]
    }
  ]
}
  • Replace <region> with the AWS region of your Glue instance.
  • Replace <account_id> with your account ID.

Choose authentication mechanism

Using the policy created above, configure one of the following options for authentication.

User-based authentication

To configure user-based authentication:

  1. Create an AWS IAM user by following the steps in the AWS Identity and Access Management User Guide.
  2. On the Set permissions page, attach the policy created in the previous step to this user.
  3. Once the user is created, view or download the user's access key ID and secret access key.
    🚨 Careful! This will be your only opportunity to view or download the access keys. You will not have access to them again after leaving the user creation screen.

Role-based authentication

To configure role-based authentication attach the policy created in the previous step to the EC2 role that Atlan uses for its EC2 instances in the EKS cluster. Please raise a support ticket to use this option.

Role delegation-based authentication

To configure role delegation-based authentication:

  1. Raise a support ticket to get the ARN of the Node Instance Role for your Atlan EKS cluster.
  2. Create a new role in your AWS account by following the steps in the AWS Identity and Access Management User Guide.
    1. When prompted for policies, attach the policy created in the previous step to this role.
    2. When prompted, create a trust relationship for the role using the following trust policy. (Replace <atlan_nodeinstance_role_arn> with the ARN received from Atlan support.)
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "AWS": "<atlan_nodeinstance_role_arn>"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
          }
        ]
      }
  3. Raise another support ticket with the ID of the AWS account where the role above was created.
🚨 Careful! Wait until the support team confirms the account is allowlisted for assuming the role before running the crawler.

Related articles

Was this article helpful?
0 out of 0 found this helpful