Assume Another Role

When using instance profile or AWS access keys authentication, you can configure the Amazon stage to assume another IAM role.

For example, if the instance profile or the IAM user permissions do not grant access to write to Amazon S3 resources, you can configure the Amazon S3 destination to assume another role that does grant write access.

When an Amazon stage assumes a role, it temporarily gives up the instance profile or IAM user permissions and uses the permissions assigned to the assumed role. To assume a role, the stage calls the AWS STS AssumeRole API operation and passes the role to use. The operation creates a new session with the temporary credentials, as long as the following conditions are true:

  • The IAM policy attached to the current principal - the IAM role or user - grants permission to assume the specified role.
  • The IAM trust policy attached to the role to be assumed permits the current principal to assume it.
You can configure an Amazon stage to assume a role in the following ways:
Assume a role with no restrictions

When configured to assume a role with no restrictions, any StreamSets user account that starts the pipeline can assume the role specified in the Amazon stage, as long as the IAM policies attached to the current principal and to the role to be assumed allow it.

For example, any Control Hub user who starts the job for the pipeline can assume the finance role when the IAM trust policy attached to the finance role allows the role to be assumed by the IAM role or user identified by the selected authentication method.

Assume a role using session tags to restrict role access
For increased security, you can configure a stage to assume a role and set session tags to restrict the Data Collector or Control Hub user accounts allowed to assume the role. When configured to set session tags, the stage passes the following session tag to the AWS STS AssumeRole API operation:

streamsets/principal=<user>

Where <user> is the name of the currently logged in Data Collector or Transformer user that starts the pipeline or the Control Hub user that starts the job for the pipeline.

AWS IAM verifies that the user account set in the session tag can assume the specified role. The IAM trust policy attached to the role to be assumed must allow the current principal permission to assume the role and must have constraints using IAM condition keys to limit the AssumeRole action based on the requested session tags.

For example, when the Control Hub user Joe starts the job for the pipeline, he can assume the finance role when the IAM trust policy attached to the finance role allows the user joe to assume the role. The Control Hub user Emily cannot assume the finance role because the trust policy attached to the finance role does not allow the user emily to assume the role.

To configure an Amazon stage to assume a role, you first must create the trust policy in AWS that allows the role to be assumed. Then, you configure the required stage properties in Data CollectorControl Hub.