π€ Who can do this? You will probably need your Amazon DynamoDB administrator to run these commands β you may not have access yourself.
Atlan supports the following authentication methods for fetching metadata from Amazon DynamoDB:
- IAM user authentication β this method uses an AWS access key, secret key, and region to fetch metadata.
- IAM role authentication β this method uses an AWS role ARN and region to fetch metadata.
Create IAM policy
To create an IAM policy with the necessary permissions, follow the steps in the AWS Identity and Access Management User Guide.
Create the policy using the following JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:ListTables"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable"
],
"Resource": "arn:aws:dynamodb:<region>:<account_id>:table/*"
}
]
}
- Replace
<region>
with the AWS region of your Amazon DynamoDB instance. - Replace
<account_id>
with your AWS account ID.
IAM permissions
Atlan requires the following permissions:
dynamodb:ListTables
:- Fetches a list of your Amazon DynamoDB tables. This permission is used during the metadata extraction process to dynamically determine a list of tables.
- Note that this action does not support resource-level permissions and requires you to choose all resources, hence
*
forResource
.
dynamodb:DescribeTable
:- Fetches metadata for extracted tables. This action supports resource-level permissions, so for
Resource
, you can either:- Grant permission to all tables in the region for which you want to extract metadata:
arn:aws:dynamodb:<region>:<account_id>:table/*
- Specify the table names for which you want to extract metadata:
arn:aws:dynamodb:<region>:<account_id>:table/table_name_1
,arn:aws:dynamodb:<region>:<account_id>:table/table_name_2
- Grant permission to all tables in the region for which you want to extract metadata:
- Fetches metadata for extracted tables. This action supports resource-level permissions, so for
Choose authentication mechanism
Using the policy created above, configure one of the following options for authentication.
User-based authentication
To configure IAM user-based authentication:
- Create an AWS IAM user by following the steps in the AWS Identity and Access Management User Guide.
- On the Set permissions page, attach the policy created in the previous step to this user.
- Refer to managing access keys for IAM users to create an access key for the new user.
- Once the user is created, view or download the user's access key ID and secret access key.
π¨ Careful! This will be your only opportunity to view or download the access keys. You will not have access to them again after leaving the user creation screen.
Role delegation-based authentication
To configure role delegation-based authentication:
- Raise a support ticket to get the ARN of the Node Instance Role for your Atlan EKS cluster.
- Create a new role in your AWS account by following the steps in the AWS Identity and Access Management User Guide.
- When prompted for policies, attach the policy created in the previous step to this role.
- When prompted, create a trust relationship for the role using the following trust policy. (Replace
<atlan_nodeinstance_role_arn>
with the ARN received from Atlan support.){ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "<atlan_nodeinstance_role_arn>" }, "Action": "sts:AssumeRole", "Condition": {} } ] }
- (Optional) To use an external ID for additional security, paste the external ID into the policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "<atlan_nodeinstance_role_arn>" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "<atlan_external_id>" } } } ] }
- Replace
<atlan_external_id>
with the external ID you want to use.
- Replace
- Now, reach out to Atlan support with:
- The name of the role you created above.
- The ID of the AWS account where the role was created.
π¨ Careful! Wait until the support team confirms the account is allowlisted to assume the role before running the crawler.