Cloud settings for AWS #

Cross account IAM roles #

AWS cross account IAM role usage is more secure than using access keys, and is often the only allowed method to authenticate to data sources.

In Starburst Galaxy, you can use an AWS cross account IAM role to configure access to data in S3 and the metadata in Amazon Glue in your S3 catalogs. This means you can define a cross account IAM role once, and then use it in multiple catalogs.

Use the following steps to configure a cross account IAM role:

1. Configure a cross account IAM role in your AWS console, and take note of the ARN in the summary section. Alternatively request the ARN from your network administrator.

2. Navigate to the Account section of the left-side menu in Starburst Galaxy.

3. Expand the Cloud Settings menu, and select AWS.

4. In the Cross account IAM roles pane, click Configure IAM role.

    

5. Provide a Starburst Galaxy-internal name for the IAM role in the Cross account IAM role alias field. This value displays in the list of cross account IAM roles as well as in the selection dialog in the catalog configuration.

6. Input the ARN in the AWS IAM ARN field.

7. Click Validate cross account IAM role.

    

8. The new cross account IAM role is now configured in your account.

    

9. Click Close. Your new role is now listed in the Cross account IAM roles list.

SSH tunnels #

Securely connect to private data sources using an SSH tunnel through a bastion host.

Learn how to set up an SSH tunnel.

AWS PrivateLink #

Starburst Galaxy supports AWS PrivateLink for some catalogs. For a general overview of Starburst Galaxy’s support for AWS PrivateLink, see AWS PrivateLink.

Use the following steps in your AWS account to configure PrivateLink. Create the following in the AWS console:

• Cloud settings for AWS
  • Cross account IAM roles
  • SSH tunnels
  • AWS PrivateLink
    • Create a target group
    • Create a load balancer
    • Create an endpoint service

Create a target group #

1. In the navigation menu, go to the EC2 Console.

2. In the navigation menu or in the search box at the top of the page, select Target Groups. Click Create target group.

3. In the Choose a target type section, choose IP addresses.

    

4. In the Target group name field, name your target group.

5. Enter the Protocol and Port of the catalog you are connecting.

6. For IP address type, choose the IPv4 option.

7. From the drop-down menu, select the VPC where your catalog is located.

8. Click Next.

9. In the IPv4 address field, enter the IP address of your catalog.

10. Click Include as pending below. In the Review targets section, your target group now appears as Pending.

11. Click Create target group.

Create a load balancer #

1. In the navigation menu, go to the EC2 Console.

2. In the navigation menu or in the search box at the top of the page, select Load Balancers. Click Create load balancer.

3. In the Load balancer types section, click Create under Network Load Balancer.

×

1. In the Load balancer name field, name your load balancer.

2. For Scheme, select Internal.

3. For IP address type, choose the IPv4 option.

4. From the drop-down menu in the Network mapping section, select the VPC where your AWS data source is located.

5. Select the same availability zone as the data source you are connecting.

6. In the Listeners and routing section, enter the Protocol and Port of the catalog you are connecting.

7. In the Default action drop-down menu, select the target group you just created.

8. Click Create load balancer.

Create an endpoint service #

1. In the navigation menu, go to the VPC Console.

2. In the VPC navigation menu or in the search box at the top of the page, select Endpoint services. Click Create endpoint service.

3. For Load balancer type, choose the Network option.

4. In the Available load balancers section, select the load balancer you just created.

5. For Supported IP address types, choose the IPv4 option.

6. Click Create.

As the final step, contact your Starburst account team to complete your PrivateLink configuration.