How-to | Grant security roles#

There are two ways to grant your Dataiku instances access to AWS services:

  • IAM roles

  • AWS access key

It is a recommended best practice to use an IAM role and its instance profile rather than using an AWS access key. This IAM instance profile is auto-created when you create a role from the AWS console.

You can assign IAM roles to each instance linked to the instance template. The benefits of assigning IAM roles are:

  • Avoid unnecessary sharing of long-term access keys

  • Simpler to maintain than access keys

It is possible to have one role assigned at startup (before the Dataiku instance starts up) and another one at runtime (after the Dataiku instance starts up). This helps to limit the scope of the managed identity while the instance is running.

Instance IAM Role

To assign Instance IAM roles:

  1. Navigate to AWS security > Instance IAM role.

  2. In Runtime instance profile ARN, provide the ARN (not a role ARN).

  3. In Startup instance profile ARN, provide the ARN (not a role ARN).

  4. Select the Restrict metadata access checkbox to prevent end-user processes from accessing the AWS metadata server. This ensures the Dataiku end users cannot assume the instance role.

Keypair (Access Key)

You can use an AWS access key to access Dataiku.

If you prefer to use an AWS access key to access Dataiku (rather than using an IAM role), you’ll need to provide your ASM secret ID so that Fleet Manager can retrieve the secret access key from AWS Secrets Manager (ASM). Alternatively, Fleet Manager can encrypt it and store it, using your Customer Manager Key (CMK) defined in the cloud setup settings.

To assign an AWS access key:

  1. Navigate to AWS security > Keypair.

  2. In Keypair mode, choose AWS Keypair.

  3. In Keypair storage mode, choose an option.

    • Secret stored in ASM.

      • Enter your ASM secret id.

      • Enter your AWS access key id.

    • Secret stored encrypted in Fleet Manager.

      • Enter your AWS access key id.

      • Enter your AWS secret access key.

User-Assigned Managed Identities

You can assign user-assigned managed identities to each instance linked to the instance template.

Note

You created user-assigned managed identities when you set up Fleet Manager. Visit the reference documentation for more information.

It is possible to have one managed identity assigned at startup (before the instance starts up) and another one at runtime (after the instance starts up). This helps to limit the scope of the managed identity while the instance is running.

To assign user-assigned managed identities:

  1. Navigate to Azure security > User-assigned managed identities.

  2. In Runtime managed identity, provide the user-assigned managed identity.

  3. In Startup managed identity, provide the user-assigned managed identity.

  4. Select the Restrict metadata access checkbox to prevent end-user processes from accessing the Azure metadata server. This ensures the Dataiku end users cannot assume the instance role.