π€ Who can do this? You will probably need your AWS Lambda administrator to run these commands β you may not have access yourself.
Create IAM policy
To create an IAM policy with the necessary permissions, follow the steps in the AWS Identity and Access Management User Guide.
Create the policy using the following JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync"
"lambda:ListFunctions"
],
"Resource": "*"
}
]
}
Choose authentication mechanism
Using the policy created above, configure one of the following options for authentication.
User-based authentication
To configure user-based authentication:
- Create an AWS IAM user by following the steps in the AWS Identity and Access Management User Guide.
- On the Set permissions page, attach the policy created in the previous step to this user.
- Once the user is created, view or download the user's access key ID and secret access key.
π¨ Careful! This will be your only opportunity to view or download the access keys. You will not have access to them again after leaving the user creation screen.
Role-based authentication
To configure role-based authentication, attach the policy created in the previous step to the EC2 role that Atlan uses for its EC2 instances in the EKS cluster. Please raise a support ticket to use this option.
Role delegation-based authentication
To configure role delegation-based authentication:
- Raise a support ticket to get the ARN of the Node Instance Role for your Atlan EKS cluster.
- Create a new role in your AWS account by following the steps in the AWS Identity and Access Management User Guide.
- When prompted for policies, attach the policy created in the previous step to this role.
- When prompted, create a trust relationship for the role using the following trust policy. (Replace
<atlan_nodeinstance_role_arn>
with the ARN received from Atlan support.)
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "<atlan_nodeinstance_role_arn>" }, "Action": "sts:AssumeRole", "Condition": {} } ] }
- Now, reach out to Atlan support with:
- The name of the role you created above.
- The ID of the AWS account where the role was created.
π¨ Careful! Wait until the support team confirms the account is allowlisted to assume the role before running the Lambda function.