Navigation

Set Up Unified AWS Access

Overview

Some Atlas features, including Data Lakes and Encryption at Rest, use AWS IAM roles for authentication. When Atlas accesses AWS services, it does so through an assumed IAM role.

You can set up an assumed IAM role for your Atlas account to use with the Atlas API or UI.

Prerequisites

Procedure

1

Send a POST request to the cloudProviderAccess endpoint.

Use the Create a Cloud Provider Access Role API endpoint to create a new AWS IAM role. Atlas will use this role for authentication with your AWS account.

Keep the returned field values atlasAWSAccountArn and atlasAssumedRoleExternalId handy for use in the next step.

2

Modify your AWS IAM role trust policy.

  1. Log in to your AWS Management Console.

  2. Navigate to the Identity and Access Management (IAM) service.

  3. Select Roles from the left-side navigation.

  4. Click on the existing IAM role you wish to use for Atlas access from the list of roles.

  5. Select the Trust Relationships tab.

  6. Click the Edit trust relationship button.

  7. Edit the Policy Document. Add a new Statement object with the following content.

    Note

    Replace the highlighted lines with values returned from the API call in step 1.

    {
      "Version": "2020-03-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "<atlasAWSAccountArn>"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "<atlasAssumedRoleExternalId>"
            }
          }
        }
      ]
    }
    
  8. Click the Update Trust Policy button.

3

Authorize the newly created IAM role.

Use the Authorize One Cloud Provider Access Role API endpoint to authorize and configure the new IAM Assumed Role ARN.

If the API call is successful, it returns an iamAssumedRoleArn value which you can use when configuring Atlas services that use AWS.

Begin the Setup Procedure for AWS IAM Access

  1. Expand the Options menu next to your project name in the Atlas UI upper left corner. Select Integrations.

  2. Click the Configure button in the AWS IAM Role Access panel.

    Note: if you already have one or more roles configured, the button reads Edit.

  3. Click the Authorize an AWS IAM Role button.

  4. Read through the Overview instructions, then click Next.

  5. If you’d like to create a new AWS IAM role for use with Atlas, use the Create New Role with the AWS CLI procedure. If you have an existing AWS IAM role you want to authorize for Atlas, use the Add Trust Relationships to an Existing Role procedure.

Create New Role with the AWS CLI

  1. Click Create New Role with the AWS CLI to expand the next section.
  2. Copy the JSON text and save it to a file named role-trust-policy.json.
  3. Enter a name for your new AWS IAM role in the text box.
  4. If you don’t already have the AWS Command Line Interface (CLI) installed, see the documentation. If you do have the AWS CLI installed, proceed to the next step.
  5. Copy the CLI command and enter it at the command prompt.
  6. If successful, the CLI command returns a JSON document with information about the newly created AWS IAM role. Locate the field named Arn and copy it into the text box labelled Enter the Role ARN in the Atlas modal window.
  7. Click Validate and Finish.

Add Trust Relationships to an Existing Role

  1. Click Add Trust Relationships to an Existing Role to expand the next section.
  2. Copy the JSON trust relationship text.
  3. In your AWS web console, navigate to the Roles section of the IAM dashboard.
  4. Click on the role you want to authorize.
  5. Select the Trust relationships tab.
  6. Click the Edit trust relationship button.
  7. Replace the existing text with the JSON text you copied in step 2.
  8. Click Update Trust Policy.
  9. Copy the Role ARN and paste it in the Atlas modal window, in the text box labelled Enter the Role ARN.
  10. Click Validate and Finish.

Resume an Authorization Procedure

If you cancel a procedure to authorize an AWS IAM role for use with Atlas, you can resume it where you left off.

  1. Expand the Options menu next to your project name in the Atlas UI upper left corner. Select Integrations.

  2. Click the Configure button in the AWS IAM Role Access panel.

    Note: if you already have one or more roles configured, the button reads Edit.

  3. Any roles with an ongoing authorization procedure are listed with an in progress status. Click the Resume button to resume the authorization process.

To cancel an in-progress role authorization completely, click the Delete icon next to the in-progress role.

Deauthorize an Assumed IAM Role

You can deauthorize an existing AWS IAM role from your Atlas account with the Atlas API or the Atlas UI.

Note

Be sure to remove any associated Atlas services from the IAM role before you deauthorize it.

Use the DELETE API endpoint described in the API documentation.

  1. Expand the Options menu next to your project name in the Atlas UI upper left corner. Select Integrations.
  2. Click the Edit button in the AWS IAM Role Access panel.
  3. Click the Delete button next to the IAM role you want to deauthorize.