I have Dremio installed on ec2 in one AWS Account. I would like to connect to a Glue Catalog Data Source in another AWS Account. I’ve gone through the configuration of allowing access to that glue catalog. I don’t see a way to configure the Account ID for the Glue Catalog in this data source connector. Is this possible or is there another suggested approach?
Welcome to Dremio Community, @jcliche!
This needs to be done outside of Dremio via AWS IAM policies/roles (i.e. for cross account access). The high level steps are:
- Say there are two AWS accounts →
acct_abc(where Dremio is hosted) andacct_xyz(where Glue/S3 is) - In
acct_abc, get the ARN for the IAM role that is attached to the Dremio EC2 nodes. Let’s say it isarn:aws:iam::acct_abc:role/DremioNodeRole - Head over to
acct_xyzand create IAM policies that gives access to Glue and S3. Refer sample policies from Dremio Docs. One policy for Glue, and another policy for S3 - In
acct_xyz, create an IAM role and attach the two IAM policies created above. Make note of the ARN for this IAM role. Let’s say it is,arn:aws:iam::acct_xyz:role/DremioGlueS3Role - In this role, add a Trust Relationship, which contains the following. Modify to the ARN you obtained in step 2.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com",
"AWS": "arn:aws:iam::acct_abc:role/DremioNodeRole"
},
"Action": "sts:AssumeRole"
}
]
}
- Switch to
acct_abc, add the following to the Trust Relationship of IAM Rolearn:aws:iam::acct_abc:role/DremioNodeRole. Modify to the ARN you obtained in Step 4.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::acct_xyz:role/DremioGlueS3Role"
}
}
- In Dremio, add a Glue Source with “
EC2 Metadata”, and usearn:aws:iam::acct_xyz:role/DremioGlueS3Rolein the “IAM Role to Assume” section.
You should have now Glue access from the cross account.
1 Like