Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to get AWS Glue crawler to assume a role in another AWS account to get data from that account's S3 bucket?

There's some CSV data files I need to get in S3 buckets belonging to a series of AWS accounts belonging to a third-party; the owner of the other accounts has created a role in each of the accounts which grants me access to those files; I can use the AWS web console (logged in to my own account) to switch to each role and get the files. One at a time, I switch to the role for each of the accounts and then get the files for that account, then move on to the next account and get those files, and so on.

I'd like to automate this process.

It looks like AWS Glue can do this, but I'm having trouble with the permissions.

What I need it to do is create permissions so that an AWS Glue crawler can switch to the right role (belonging to each of the other AWS accounts) and get the data files from the S3 bucket of those accounts.

Is this possible and if so how can I set it up? (e.g. what IAM roles/permissions are needed?) I'd prefer to limit changes to my own account if possible rather than having to ask the other account owner to make changes on their side.

If it's not possible with Glue, is there some other easy way to do it with a different AWS service?

Thanks!

(I've had a series of tries but I keep getting it wrong - my attempts are so far from being right that there's no point in me posting the details here).

like image 814
A E Avatar asked Dec 24 '17 16:12

A E


1 Answers

Using the AWS CLI, you can create named profiles for each of the roles you want to switch to, then refer to them from the CLI. You can then chain these calls, referencing the named profile for each role, and include them in a script to automate the process.

From Switching to an IAM Role (AWS Command Line Interface)

A role specifies a set of permissions that you can use to access AWS resources that you need. In that sense, it is similar to a user in AWS Identity and Access Management (IAM). When you sign in as a user, you get a specific set of permissions. However, you don't sign in to a role, but once signed in as a user you can switch to a role. This temporarily sets aside your original user permissions and instead gives you the permissions assigned to the role. The role can be in your own account or any other AWS account. For more information about roles, their benefits, and how to create and configure them, see IAM Roles, and Creating IAM Roles.

like image 134
Rodrigo Murillo Avatar answered Nov 01 '22 23:11

Rodrigo Murillo