Skip to main content

Integrating Amazon Web Services

Capabilities

DataGrail's Amazon Web Services integration provides the following capabilities:

ProductCapability
Live Data MapSystem Detection

Before You Start

To successfully configure this integration, please ensure you have sufficient privileges:

  • DataGrail User Role: Super Admin, Connections Manager
  • Amazon Web Services User Role: Admin

Create an AWS IAM Policy

  1. Navigate to IAM within AWS and select Policies from the left menu.
  2. Select Create Policy.
  3. Switch to the JSON policy editor.
  4. Enter the Recommended Identity-based Policy.
Recommended Identity-based Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "athena:GetTableMetadata",
                "athena:ListTableMetadata",
                "datapipeline:DescribeObjects",
                "datapipeline:DescribePipelines",
                "datapipeline:GetPipelineDefinition",
                "datapipeline:ListPipelines",
                "docdb-elastic:GetCluster",
                "docdb-elastic:ListClusters",
                "dynamodb:DescribeTable",
                "dynamodb:ListTables",
                "ec2:DescribeRegions",
                "elasticmapreduce:DescribeCluster",
                "elasticmapreduce:ListClusters",
                "glue:GetDatabase",
                "glue:GetDatabases",
                "glue:GetJob",
                "glue:GetJobs",
                "glue:GetTable",
                "glue:GetTables",
                "glue:GetWorkflow",
                "glue:ListJobs",
                "glue:ListWorkflows",
                "rds:DescribeDBClusterParameters",
                "rds:DescribeDBClusters",
                "rds:DescribeDBInstances",
                "rds:DescribeGlobalClusters",
                "redshift:DescribeClusters",
                "redshift:DescribeTable",
                "redshift:ListDatabases",
                "redshift:ListSchemas",
                "redshift:ListTables"
            ],
            "Resource": "*"
        }
    ]
}
  1. Enter a Policy name, for example: datagrail-system-detection-read-only.
  2. Select Create policy.

Create an AWS IAM Role

  1. Navigate to IAM within AWS and select Roles from the left menu.
  2. Select Create Role.
  3. Choose Custom trust policy.
  4. Enter the Recommended JSON Policy, ensuring you create and substitute an External ID.
Recommended JSON Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::338780525468:user/dg_app"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "SUBSTITUTEME"
                }
            }
        }
    ]
}

Ensure you create and substitute an External ID for SUBSTITUTEME.

External ID Requirements

The External ID must be a 32+ character string that contains only alphanumeric characters, underscores, plus signs, equal signs, commas, periods, 'at' signs, colons, forward slashes, and hyphens. External IDs that do not meet these requirements will be rejected.

  1. Select Next and choose the policy created in Create an AWS IAM Policy.
  2. Select Next and enter a Role name.
  3. Select Create role.
Important

Please send the ARN of the newly created role to support@datagrail.io. Our support team will work with you to assume the necessary permissions on this role.

Connect to DataGrail

  1. In DataGrail, navigate to Integrations and select Configure New Integration to search for Amazon Web Services.
  2. Enable System Detection capabilities.
  3. Enter the AssumeRole ARN and AssumeRole External ID.
  4. Click Save Changes.

Next Steps

Now that you've successfully connected the integration, check out the following resources:

Troubleshooting

If you are unable to successfully connect the integration, review these common troubleshooting steps:

Ensure you have sent the IAM Role ARN to DataGrail Support

For AssumeRole connections, the DataGrail Support Team needs the ARN of the IAM role you created to assume the necessary permissions.

Please send the ARN of the newly created role to support@datagrail.io.

Ensure the External ID is valid

The External ID must be a 32+ character string that contains only alphanumeric characters, underscores, plus signs, equal signs, commas, periods, 'at' signs, colons, forward slashes, and hyphens. External IDs that do not meet these requirements will be rejected.

Ensure there are no other IAM Policies restricting AssumeRole

For AssumeRole configurations, please ensure any existing IAM Policies that restrict AssumeRole are updated to allow DataGrail to assume the newly created IAM Role.

Ensure Required Permissions Are Granted on API Keys/Resources

DataGrail checks required permissions and scopes on API keys/resources used by each integration. If all necessary permissions are not granted, new connections will fail.

Review Required Account Types and User Roles

If users do not have the necessary permissions or the minimum required user role in the connecting system, the connection to DataGrail will fail. Additionally, connections will fail if your account type does not match the one required by the integration.

See Before You Start to review these requirements.

 

Need help?
If you have any questions, please reach out to your dedicated Account Manager or contact us at support@datagrail.io.

Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.