How to set up AWS Glue

πŸ€“ Who can do this? You will probably need your AWS Glue administrator to run these commands β€” you may not have access yourself.
πŸ’ͺ Did you know? Prefixing all resources created for Atlan with atlan- will help you better identify them. You should also add AWS tags and descriptions to these resources for later reference.

Atlan supports fetching metadata from AWS Glue. If you also want to be able to preview and query the data, you can set up an Amazon Athena connection instead.

Create IAM policy

To create an IAM policy with the necessary permissions follow the steps in the AWS Identity and Access Management User Guide.

Create the policy using the following JSON:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "glue:GetTables",
        "glue:GetDatabases",
        "glue:GetTable",
        "glue:GetDatabase",
        "glue:SearchTables",
        "glue:GetTableVersions",
        "glue:GetTableVersion",
        "glue:GetPartition",
        "glue:GetPartitions",
        "glue:GetUserDefinedFunctions",
        "glue:GetUserDefinedFunction"
      ],
      "Resource": [
        "arn:aws:glue:<region>:<account_id>:tableVersion/*/*/*",
        "arn:aws:glue:<region>:<account_id>:table/*/*",
        "arn:aws:glue:<region>:<account_id>:catalog",
        "arn:aws:glue:<region>:<account_id>:database/*"
      ]
    }
  ]
}
  • Replace <region> with the AWS region of your Glue instance.
  • Replace <account_id> with your account ID.
🚨 Careful! If you're using AWS Lake Formation to manage access to your AWS resources, you will need to grant permissions in AWS Lake Formation as well as to the objects you want to crawl.

Choose authentication mechanism

Using the policy created above, configure one of the following options for authentication.

User-based authentication

To configure user-based authentication:

  1. Create an AWS IAM user by following the steps in the AWS Identity and Access Management User Guide.
  2. On the Set permissions page, attach the policy created in the previous step to this user.
  3. Once the user is created, view or download the user's access key ID and secret access key.
    🚨 Careful! This will be your only opportunity to view or download the access keys. You will not have access to them again after leaving the user creation screen.

Role-based authentication

To configure role-based authentication attach the policy created in the previous step to the EC2 role that Atlan uses for its EC2 instances in the EKS cluster. Please raise a support ticket to use this option.

Role delegation-based authentication

To configure role delegation-based authentication:

  1. Raise a support ticket to get the ARN of the Node Instance Role for your Atlan EKS cluster.
  2. Create a new role in your AWS account by following the steps in the AWS Identity and Access Management User Guide.
    1. When prompted for policies, attach the policy created in the previous step to this role.
    2. When prompted, create a trust relationship for the role using the following trust policy. (Replace <atlan_nodeinstance_role_arn> with the ARN received from Atlan support.)
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "AWS": "<atlan_nodeinstance_role_arn>"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
          }
        ]
      }
  3. (Optional) To use an external ID for additional security:
    1. Generate the external ID within Atlan.
    2. Paste the external ID into the policy (replace <atlan_generated_external_id> with it):
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "AWS": "<atlan_nodeinstance_role_arn>"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
              "StringEquals": {
                "sts:ExternalId": "<atlan_generated_external_id>"
              }
            }
          }
        ]
      }
  4. Now, reach out to Atlan support with:
    • The name of the role you created above.
    • The ID of the AWS account where the role was created.
🚨 Careful! Wait until the support team confirms the account is allowlisted to assume the role before running the crawler.

Related articles

Was this article helpful?
1 out of 1 found this helpful