Databricks Delta Connector

Back Next

Temporary security credentials policy

To use temporary security credentials to access AWS resources, both the IAM user and IAM role require policies.

Amazon S3 permission policy: Attach the following S3 permission policy to allow access to the Amazon S3 bucket:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:PutObjectTagging", "s3:GetBucketAcl" ], "Effect": "Allow", "Resource": "arn:aws:s3:::com.amk" }, { "Effect": "Allow", "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:PutObjectTagging", "s3:GetBucketAcl" ], "Resource": "arn:aws:s3:::com.amk/*" } ] }

The following section lists the policies required for IAM user and IAM role:

IAM user: An IAM user must have the
sts:AssumeRole
policy to use temporary security credentials in same or different AWS account.; The following sample policy allows an IAM user to use the temporary security credentials in an AWS account:
{ "Version":"2012-10-17", "Statement":{ "Effect":"Allow", "Action":"sts:AssumeRole", "Resource":"arn:aws:iam::<ACCOUNT-HYPHENS>:role/<ROLE-NAME>" } }

IAM role: An IAM role must have the
sts:AssumeRole
policy and a trust policy attached with the IAM role to allow the IAM user to access the AWS resource using temporary security credentials. The policy specifies the AWS resource that the IAM user can access and the actions that the IAM user can perform. The trust policy specifies the IAM user from the AWS account that can access the AWS resource.
The following policy is a sample trust policy:
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::AWS-account-ID:root" }, "Action":"sts:AssumeRole" } ] } }
Here, in the
Principal
attribute, you can also provide the ARN of IAM user who can use the dynamically generated temporary security credentials and to restrict further access. For example,
"Principal" : { "AWS" : "arn:aws:iam:: AWS-account-ID :user/ user-name " }