Prerequisites

Before you create an Amazon SageMaker Lakehouse connection, you need to create IAM policies with the minimum required permissions to interact with Apache Iceberg tables managed by AWS Glue Catalog or S3 table catalog.

To use EC2 role to assume role authentication for Amazon S3, you need to configure the EC2 role to assume another IAM role specified by the IAM Role ARN.

Create minimal IAM policies

You need to create IAM policies with the minimum required permissions to interact with Apache Iceberg tables managed by AWS Glue Catalog or S3 table catalog. For more information on configuring these policies, refer to the AWS documentation.

Minimum policy for Amazon Athena

The following sample policy shows the minimal Amazon IAM policy to access Amazon Athena:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"athena:CreatePreparedStatement",
"athena:GetPreparedStatement",
"athena:GetWorkGroup",
"athena:GetTableMetadata",
"athena:StartQueryExecution",
"athena:GetQueryResultsStream",
"athena:ListDatabases",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetDatabase",
"athena:ListTableMetadata",
"athena:GetDataCatalog",
"athena:DeletePreparedStatement"
],
"Resource": [
"arn:aws:athena:*:*:workgroup/*",
"arn:aws:athena:*:*:datacatalog/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"athena:ListDataCatalogs",
"athena:GetQueryExecution",
"athena:ListWorkGroups",
"athena:GetPreparedStatement"
],
"Resource": "*"
}
]
}

Minimum policy for AWS Glue

The following sample policy shows the minimal Amazon IAM policy to access AWS Glue Catalog:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:*"
],
"Resource": [
"*"
]
}
]
}

Minimum policy for Amazon S3

The following sample policy shows the minimal Amazon IAM policy to read from or write data to an Amazon S3 bucket:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:GetBucketAcl"
],
"Resource": [
"*"
]
}
]
}

Minimum policy for S3 tables

The following sample policy shows the minimal Amazon IAM policy to read from or write data to S3 tables:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::001234567890:role/S3TableSparkrole"
},
{
"Effect": "Allow",
"Action": [
"s3tables:CreateTable",
"s3tables:GetTable",
"s3tables:ListTables",
"s3tables:DeleteTable",
"s3tables:GetTableMetadataLocation",
"s3tables:GetTableData",
"s3tables:PutTableData",
"s3tables:UpdateTableMetadataLocation"
],
"Resource": [
"arn:aws:s3tables:us-east-1:001234567890:bucket/sagemaker-s3tables",
"arn:aws:s3tables:us-east-1:001234567890:bucket/sagemaker-s3tables/*",
"arn:aws:s3tables:us-east-1:001234567890:bucket/sagemaker-s3tables/table/*"
]
}
]
}

Minimum policy for AWS Lake Formation

The following sample policy shows the minimal Amazon IAM policy to access AWS Lake Formation:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "lakeformation:*",
"Resource": "*"
}
]
}

Configure EC2 role to assume role

You can configure an EC2 role to assume an IAM role and generate temporary security credentials to connect to Amazon S3 from the same or different AWS accounts.

When you configure an EC2 role to assume an IAM role, ensure that you have the sts:AssumeRole permission and a trust relationship established within the AWS accounts to use temporary security credentials. The trust relationship is defined in the trust policy of the IAM role when you create the role. The IAM role adds the EC2 role as a trusted entity allowing the EC2 role to use the temporary security credentials and access the AWS accounts.

When the trusted EC2 role requests for the temporary security credentials, the AWS Security Token Service (AWS STS) dynamically generates the temporary security credentials that are valid for a specified period and provides the credentials to the trusted EC2 role.

Before you use the EC2 Role to Assume Role authentication, consider the following prerequisites:

•Install the Secure Agent on the AWS EC2 instance.

•The EC2 role attached to the AWS EC2 instance must have permissions to assume another IAM role.

The following is a sample permission policy of EC2 role that is attached to the AWS EC2 instance:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::001234567890:role/sagemaker_rolearn"
}
]
}

Resource value must include the ARN of IAM role that the EC2 role needs to assume.

•The IAM role that the EC2 role needs to assume must have a permission policy and a trust policy attached to access AWS Glue Catalog, Amazon Athena, and Amazon S3.

You can also specify the external ID of your AWS account for a more secure access. The external ID must be a string.

The following sample shows the assumed IAM role's trust policy with the external ID:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::001234567890:root" //anyone in the account 001234567890 can assume this role, this can also be limited to one role.
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "aws_externalid"
}
}
}
]
}