Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

DataZone - scope of permissions

0

I'm not intermediate in AWS IAM, so perhaps I'm doing something wrong.

I've created an IAM UserA that has access to a project in DataZone.

When clicking the "Athena query" in DataZone project:

  • I'm forwarded from DataZone portal to AWS Athena console
  • I'm assigned a user by DataZone (I think this is called "federated user") with some random looking name starting with datazone-usr-c-proj-
  • I can query the data in the project

However when I try to query the data by:

  • logging into the AWS console (console.aws.amazon.com, IAM user: UserA)
  • opening Athena or Glue
  • I cannot access the data

Is this behavior expected? Or should the user be granted Lake Formation permissions to the tables they have access to? If this is expected, than is interacting via Athena / Redshift the only way to interact with the data in DataZone (at least without providing additional permissions in, for example, Lake Formation)?

Themen
Analysen
Tags
AWS Lake FormationAmazon DataZone
Sprache
English
ksazon
gefragt vor 10 Monaten510 Aufrufe
1 Antwort
0

Hi,

you are not doing anything wrong. In Amazon DataZone, resources are organized in DataZone domains. A domain is a collection of Amazon DataZone objects, such as data assets, projects, associated AWS accounts. And as per the documentation

Associated AWS accounts - these are AWS accounts that host data assets that you want to catalog, discover, govern, share, or analyze through Amazon DataZone. These accounts have a trust relationship with an AWS account that houses an Amazon DataZone domain. This association enables data producers to publish data assets to Amazon DataZone domains from the associated AWS accounts, and enables data consumers to subscribe to data assets in the associated AWS accounts.

That's why you can query the data via Amazon Athena if you use the link from the DataZone console. You are at that time using an identity that as a trust relationship with the account that holds the data. If you use Athena without first assuming this identity, you don't have access to the data.

profile pictureAWS
EXPERTE
ben-from-aws
beantwortet vor 10 Monaten
  • ksazon
    vor 10 Monaten

    Hi Ben and thank you for the answer!

    Am I correct to think that there is no way for a user who has been granted some permissions in DataZone to use tools that are not available in DataZone portal (for example to transform the data via AWS EMR / Glue)?

    I can think of a workflow where users (using the trust relationship assumed via DataZone portal) queries the data in Athena into an S3 bucket available for both the "regular" user and the assumed identity, then does the transformations (eg. Glue) and then saves the data into a location they can publish from. But it seems like security policies nightmare and waste of storage to me. Do you think it makes sense?

  • Jean
    vor 6 Tagen

    Hi Ben-from-aws, Thank you for the answer. Is there a way for project members (who get access to the data through the project role) to get access to the project data in, let's say, Power BI( requiring access keys and secret keys) without having to go back to Lake Formation and grant the individual project members permissions to access that data?

  • Jean
    vor 6 Tagen

    Hi Ben-from-aws, Thank you for the answer. Is there a way for project members (who get access to the data through the project role) to get access to the project data in, let's say, Power BI( requiring access keys and secret keys) without having to go back to Lake Formation and grant the individual project members permissions to access that data?

  • ben-from-aws EXPERTE
    vor 6 Tagen

    Hi Jean, I'm not too familiar with PowerBI but if the service requires an IAM access and secret key, you will need to use IAM to create those. DataZone integrates with IAM as well as Identity Center to manage users and permissions, see https://docs.aws.amazon.com/datazone/latest/userguide/user-management-console.html

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt