Prepare S3 file system for Edge

Before you integrate an S3 file system via Edge, you need to prepare Amazon S3 by creating the required roles and permissions.
Two types of authentication are available for Amazon S3: IAM or EC2. The preparations in S3 depend on the authentication type you want to use.

  • IAM is the most common authentication type for Edge.
  • EC2 is used to connect to an AWS EC2 instance that is configured with role-based authentication.

Each authentication type has different requirements:

Steps

  1. Create a programmatic user.
    Collibra needs programmatic access to Amazon S3 and AWS Glue. This is done by creating a user with the following permissions:
    • AWS managed policy: AWSGlueServiceRole.

      Note If you don't want to use this out-of-the-box AWS managed policy, go to the Support portal to learn about the required permissions.

    • inline policy: pass_role with the following specific JSON content.
    Note 

    If your Glue database is KMS encrypted, also give the permission kms:Decrypt.

    For more information about creating a user with programmatic access, go to the IAM documentation.

  2. Create an IAM role.
    When you create the capability for the AWS connection in Collibra, you need to add an IAM role. The AWS Glue crawlers need this role to run their operation. The pass_role permission policy of the programmatic user is used to assign this role to the crawler. The IAM role needs the following parameters:
    • Trusted entities: glue.amazonaws.com
    • Policies:
      • AWS managed policy: AWSGlueServiceRole

        Note If you don't want to use this out-of-the-box AWS managed policy, go to the Support portal to learn about the required permissions.

      • AWS managed policy: AmazonS3ReadOnlyAccess, required only when you want to access a private S3 bucket.
    Note 

    If your Glue database is KMS encrypted, also give the permission kms:Decrypt.

  3. If you have enabled Data Lake Formation, complete additional steps.
Important 
  • You can provide more restrictive permissions to the IAM role, if dictated by your security requirements. Your AWS subject matter expert can create the appropriate permission set using the steps in the IAM documentation. We recommend that you test a crawler with an IAM role that has these permissions in the AWS console, to ensure that it is successful before you use the IAM role in Collibra.

  • The S3 credentials are stored on the Edge site and not in the Collibra repository.

Note EC2 has been validated only for bundled K3S installations of Edge.

If you use an AWS EC2 instance that is configured with role-based authentication, you can connect to Amazon S3 without an access key ID and secret access key. Use the following steps to configure role-based Amazon S3 access control.

Prerequisites

  • You have access to the AWS IAM console.
  • You have access to the Amazon EC2 console.
  • You have an Amazon EC2 instance.

Steps

  1. Go to AWS Identity and Access Management.
  2. Create an IAM role.

    When you create the capability for the AWS connection in Collibra, you will need to add an IAM role. The AWS Glue crawlers need this role to run their operation. The pass_role permission policy of the programmatic user is used to assign this role to the crawler. The IAM role needs the following parameters:

    • Trusted entities: glue.amazonaws.com
    • Policies:
      • AWS managed policy: AWSGlueServiceRole
      • AWS managed policy: AmazonS3ReadOnlyAccess, required only when you want to access a private S3 bucket
      • pass_role (inline policy)
    Note 

    If your Glue database is KMS encrypted, also give the permission kms:Decrypt.

  3. In the Amazon EC2 console, attach the IAM role to the Amazon EC2 instance.
Note 

If the credentials in the Amazon EC2 instance can't be used to authenticate, you can create a credentials file and save it in the user_home/.aws/ folder. The credentials file should look like this:

[default]
aws_access_key_id = <access key ID>
aws_secret_access_key = <secret access key>

For more information, see the AWS developer guide.

Warning Do not use a credentials file unless absolutely necessary.

What's Next?

You can now go to Collibra to register your AWS regions and prepare your Edge site. See steps in Integrate an Amazon S3 file system.

More information about Amazon Web Services (AWS)

Collibra relies on AWS Glue and AWS Identity and Access Management (IAM) to ingest and synchronize data.

AWS Glue

AWS Glue is an Amazon cloud service to perform extract-transform-load (ETL) processes on data, stored in data sources such as Amazon S3. AWS Glue has the following components:

  • Glue crawlers: Glue crawlers analyze and describe a wide range of data sources such as Amazon S3 or MySQL. However, Data Catalog only uses them for the Amazon S3 file system integration.
  • Glue database: Glue crawlers store their results in a database in the form of tables and columns. Both, the tables and columns in the Glue database, contain metadata that describes the content of Amazon S3. Data Catalog reads those databases for data ingestion.
    The name of the created Glue database is collibra_catalog_<S3 File System-ID>_<Domain-ID>.
  • ETL processes: The ETL processes can extract data from a data source, process that data, for example, categorize and clean it, and produce output. This component is currently not used by Data Catalog.

Although you need an AWS account, you don't have to work in AWS Glue directly because Collibra does everything for you. For more information about AWS Glue, go to the AWS Glue documentation.

Note Collibra only uses AWS Glue to ingest data from Amazon S3. All other features, such as crawling other data sources or ETL processes are not integrated.

AWS Identity and Access Management

Collibra uses the AWS Identity and Access Management (IAM) service to manage access to Amazon S3 and AWS Glue. Similar to AWS Glue, you need an AWS account to use the IAM service, but after setting up the required users and roles, you don't have to work directly with IAM. For more information about IAM, go to the IAM documentation.

You need two things in IAM:

  • An AWS programmatic user to access Amazon S3 and AWS Glue, if you use the IAM authentication type.
  • An IAM role for the crawlers.