The following guide will walk through configuring Identity and Access Management Roles inside of Amazon Web Services and connecting to Qubole. This document contains code which is intended for use inside of our customer environments. There are portions of the code which need to be updated in order for the AWS IAM Roles to properly function. Customer required updates are designated with bold text. Please make sure to update the relevant sections of the code connecting AWS and Qubole. AWS Account Prior to connecting to Qubole make sure you have created an account with AWS, have entered the relevant billing details and have access to console.aws.amazon.com. Qubole Account 1. Log into Qubole through api.qubole.com 2. Navigate to the Control Panel interface. 3. Navigate to the Account interface within the Control Panel. 4. In the Account Settings pane, find the Access Mode option. 5. Change the selection from IAM Keys to IAM Roles. 6. Record the following information for use later. Qubole AWS Account ID External ID
AWS Policy EC2 1. Log into AWS Console through console.aws.amazon.com. 2. Navigate to the Identity and Access Management interface. 3. Navigate to the Policies interface within the Identity and Access Management interface. 4. Select Create Policy. 5. Select Create Your Own Policy. 6. Enter a Policy Name for the EC2 policy. 7. Provide a Policy Description. 8. Use the below code for the Policy Document and update the text as necessary. 9. Select Create Policy. "Action": [ "ec2:authorizesecuritygroupegress", "ec2:authorizesecuritygroupingress", "ec2:cancelspotinstancerequests", "ec2:createsecuritygroup", "ec2:createtags", "ec2:deletesecuritygroup", "ec2:deletetags", "ec2:describe*", "ec2:importkeypair", "ec2:modifyinstanceattribute", "ec2:requestspotinstances", "ec2:runinstances", "ec2:startinstances", "ec2:stopinstances", "ec2:terminateinstances", "Resource": [ "*" NOTE: the asterik (*) in the first line under Resource indicates all EC2 resources.
AWS Policy S3 2. Navigate to the Policies interface within the Identity and Access Management interface. 3. Select Create Policy. 4. Select Create Your Own Policy. 5. Enter a Policy Name for the S3 policy. 6. Provide a Policy Description. 7. Use the below code for the Policy Document and update the text as necessary. 8. Select Create Policy. "Action": [ "s3:deleteobject", "s3:getobject", "s3:getobjectacl", "s3:putobject", "s3:putobjectacl", "s3:getbucketacl", "s3:listbucket", "Resource": [ "arn:aws:s3::: bucket path /*", "arn:aws:s3::: bucket path " NOTE: the asterik (*) after the slash (/) in the first line under Resource indicates all sub directories stored in the location provided to the left of the slash (/).
AWS Role 2. Navigate to the Roles interface within the Identity and Access Management interface. 3. Select Create New Role. 4. Enter a Role Name and select Next Step. 5. Under Select Role Type make sure to select AWS Service Roles. 6. Under AWS Service Roles select Amazon EC2. 7. Select the EC2 and S3 policies created in the previous steps. 8. Select Next Step. 9. Record the Role ARN below and then select Create Role. Role ARN
Trust Relationships 2. Navigate to the Roles interface within the Identity and Access Management interface. 3. Select the AWS Role previously created. 4. Select the Trust Relationships tab. 5. Select Edit Trust Relationships. 6. Use the below code for the Policy Document and update the text as necessary. 7. Select Update Trust Policy. "Principal": "Service": "ec2.amazonaws.com", "Action": "sts:assumerole", "Principal": "AWS": "arn:aws:iam:: qubole aws account id :root", "Action": "sts:assumerole", "Condition": "StringEquals": "sts:externalid": " external id " Qubole Access Mode 1. Return to Qubole. 2. In the Account Settings pane, under the Access Mode enter the Role ARN. 3. Provide a Default Location. 4. Select Save.