From cf70d82c77d31447c28e78fee98bf071f9e295a5 Mon Sep 17 00:00:00 2001 From: Trianz-Akshay <108925344+Trianz-Akshay@users.noreply.github.com> Date: Mon, 3 Jun 2024 18:51:49 +0530 Subject: [PATCH] custom role implementation in athena-oracle connector (#2006) --- athena-oracle/athena-oracle.yaml | 89 ++++++++++++++++++++++---------- 1 file changed, 63 insertions(+), 26 deletions(-) diff --git a/athena-oracle/athena-oracle.yaml b/athena-oracle/athena-oracle.yaml index b3abe7d8e6..2e097ac8a4 100644 --- a/athena-oracle/athena-oracle.yaml +++ b/athena-oracle/athena-oracle.yaml @@ -45,6 +45,10 @@ Parameters: Description: 'Lambda memory in MB (min 128 - 3008 max).' Default: 3008 Type: Number + LambdaRoleARN: + Description: "(Optional) A custom role to be used by the Connector lambda" + Type: String + Default: "" DisableSpillEncryption: Description: 'If set to ''false'' data spilled to S3 is encrypted with AES GCM' Default: 'false' @@ -63,6 +67,7 @@ Parameters: Type: String Conditions: HasPermissionsBoundary: !Not [ !Equals [ !Ref PermissionsBoundaryARN, "" ] ] + NotHasLambdaRole: !Equals [!Ref LambdaRoleARN, ""] HasSecurityGroups: !Not [ !Equals [ !Join ["", !Ref SecurityGroupIds], "" ] ] HasSubnets: !Not [ !Equals [ !Join ["", !Ref SubnetIds], "" ] ] Resources: @@ -84,39 +89,71 @@ Resources: Timeout: !Ref LambdaTimeout MemorySize: !Ref LambdaMemory PermissionsBoundary: !If [ HasPermissionsBoundary, !Ref PermissionsBoundaryARN, !Ref "AWS::NoValue" ] - Policies: - - Statement: - - Action: - - secretsmanager:GetSecretValue - Effect: Allow - Resource: !Sub 'arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${SecretNamePrefix}*' - Version: '2012-10-17' - - Statement: - - Action: - - logs:CreateLogGroup - Effect: Allow - Resource: !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:*' - Version: '2012-10-17' - - Statement: + Role: !If [NotHasLambdaRole, !GetAtt FunctionRole.Arn, !Ref LambdaRoleARN] + VpcConfig: + SecurityGroupIds: !If [ HasSecurityGroups, !Ref SecurityGroupIds, !Ref "AWS::NoValue" ] + SubnetIds: !If [ HasSubnets, !Ref SubnetIds, !Ref "AWS::NoValue" ] + + FunctionRole: + Condition: NotHasLambdaRole + Type: AWS::IAM::Role + Properties: + ManagedPolicyArns: + - "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: + - lambda.amazonaws.com + Action: + - "sts:AssumeRole" + FunctionExecutionPolicy: + Condition: NotHasLambdaRole + Type: "AWS::IAM::Policy" + Properties: + Roles: + - !Ref FunctionRole + PolicyName: FunctionExecutionPolicy + PolicyDocument: + Version: 2012-10-17 + Statement: + - Action: + - secretsmanager:GetSecretValue + Effect: Allow + Resource: !Sub 'arn:${AWS::Partition}:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:${SecretNamePrefix}*' + - Action: + - logs:CreateLogGroup + Effect: Allow + Resource: !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:*' - Action: - logs:CreateLogStream - logs:PutLogEvents Effect: Allow Resource: !Sub 'arn:${AWS::Partition}:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/${LambdaFunctionName}:*' - Version: '2012-10-17' - - Statement: - Action: - athena:GetQueryExecution - s3:ListAllMyBuckets Effect: Allow Resource: '*' - Version: '2012-10-17' - #S3CrudPolicy allows our connector to spill large responses to S3. You can optionally replace this pre-made policy - #with one that is more restrictive and can only 'put' but not read,delete, or overwrite files. - - S3CrudPolicy: - BucketName: !Ref SpillBucket - #VPCAccessPolicy allows our connector to run in a VPC so that it can access your data source. - - VPCAccessPolicy: {} - VpcConfig: - SecurityGroupIds: !If [ HasSecurityGroups, !Ref SecurityGroupIds, !Ref "AWS::NoValue" ] - SubnetIds: !If [ HasSubnets, !Ref SubnetIds, !Ref "AWS::NoValue" ] \ No newline at end of file + - Action: + - s3:GetObject + - s3:ListBucket + - s3:GetBucketLocation + - s3:GetObjectVersion + - s3:PutObject + - s3:PutObjectAcl + - s3:GetLifecycleConfiguration + - s3:PutLifecycleConfiguration + - s3:DeleteObject + Effect: Allow + Resource: + - Fn::Sub: + - arn:${AWS::Partition}:s3:::${bucketName} + - bucketName: + Ref: SpillBucket + - Fn::Sub: + - arn:${AWS::Partition}:s3:::${bucketName}/* + - bucketName: + Ref: SpillBucket \ No newline at end of file