Data360 Analyze

 View Only

  • 1.  Analyze connect cross-account to AWS services (other than S3)

    Posted 01-26-2021 06:42

    Hi there, in the release notes for 3.6.3 you mentioned cross-account access for S3 nodes https://support.infogix.com/hc/en-us/articles/360049993214-v3-6-3-LTS-June-2020

    We need to use Glue and Events (two further AWS services, distinct from S3) also proceeding via cross-account authentication, so:

    - what is the nature of the change made in 3.6.3 that enabled S3 cross-account access, is it something that can be replicated to other services?

    - what would be a likely timeline for extending this functionality to glue:GetTables and to events:ListRules?



  • 2.  RE: Analyze connect cross-account to AWS services (other than S3)

    Posted 01-27-2021 03:11

    As I recall it was simply the adding of these fields (see screenshot); however the means by which we currently read other services (see https://support.infogix.com/hc/en-us/community/posts/360050775114) is boto3 rather than for instance a dedicated "GlueGET" node.



  • 3.  RE: Analyze connect cross-account to AWS services (other than S3)

    Posted 01-27-2021 03:34

    Think I've solved this by following advice at https://www.slsmk.com/use-boto3-to-assume-a-role-in-another-aws-account/

    import boto3

# Create session using your current creds
boto_sts=boto3.client('sts')

# Request to assume the role like this, the ARN is the Role's ARN from 
# the other account you wish to assume. Not your current ARN.
stsresponse = boto_sts.assume_role(
    RoleArn="OtherAccountARNGoesHere",
    RoleSessionName='newsession'
)

# Save the details from assumed role into vars
newsession_id = stsresponse["Credentials"]["AccessKeyId"]
newsession_key = stsresponse["Credentials"]["SecretAccessKey"]
newsession_token = stsresponse["Credentials"]["SessionToken"]

# Use the assumed session vars to create a new boto3 client with the assumed role creds
# Here I create an s3 client using the assumed creds.
s3_assumed_client = boto3.client(
    's3',
    region_name='us-east-1',
    aws_access_key_id=newsession_id,
    aws_secret_access_key=newsession_key,
    aws_session_token=newsession_token
)

# Here I create an s3 resource with the assumed creds
s3_assumed_resource = boto3.resource(
    's3',
    region_name='us-east-1',
    aws_access_key_id=newsession_id,
    aws_secret_access_key=newsession_key,
    aws_session_token=newsession_token
)

# Now we can use s3_assumed session for calls using the assumed role.
# As in this example where I list buckets using the assumed creds
response = s3_assumed_client.list_buckets()

# Or like this use of the resource to create a bucket object.
mybucket = s3_assumed_resource.Bucket('OtherAccountBucket')


  • 4.  RE: Analyze connect cross-account to AWS services (other than S3)

    Employee
    Posted 01-28-2021 02:07

    We are glad you managed to find a solution.

    The S3 nodes are Java-based rather than using the Python boto3 module. The changes made to the nodes were to allow them to leverage the capabilities of the AWS SDK described here:

    https://docs.aws.amazon.com/AmazonS3/latest/dev/AuthUsingTempSessionTokenJava.html