Skip to main content

Privacera Documentation

Integrate AWS with Privacera Platform using the Data Access Server

You can integrate AWS and S3 with Privacera Platform using the Data Access Server.

Configure the Data Access Server using CLI

  1. SSH to the instance where Privacera Manager is installed.

  2. Run the following command.

    cd ~/privacera/privacera-manager
    cp config/sample-vars/vars.dataserver.aws.yml config/custom-vars/
    
  3. Edit the properties. For property details, see Data Access Server configuration properties.

    vi config/custom-vars/vars.dataserver.aws.yml
    

    Note

    In addition to the above properties, you can add custom properties that are not included by default. For more information, see AWS Data Access Server properties on Privacera Platform.

  4. Update Privacera Manager.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

Data Access Server configuration properties

Property

Description

Example

DATASERVER_RANGER_AUTH_ENABLED

Enable/disable Ranger authorization in Data Access Server.

DATASERVER_V2_WORKDER_THREADS

Number of worker threads to process inbound connection.

20

DATASERVER_V2_CHANNEL_CONNECTION_BACKLOG

Maximum queue size for inbound connection.

128

DATASERVER_V2_CHANNEL_CONNECTION_POOL

Enable connection pool for outbound request. The property is disabled by default.

DATASERVER_V2_FRONT_CHANNEL_IDLE_TIMEOUT

Idle timeout for inbound connection.

60

DATASERVER_V2_BACK_CHANNEL_IDLE_TIMEOUT

Idle timeout for outbound connection and will take effect only if the connection pool enabled.

60

DATASERVER_HEAP_MIN_MEMORY_MB

Add the minimum Java Heap memory in MB used by the Data Access Server.

1024

DATASERVER_HEAP_MAX_MEMORY_MB

Add the maximum Java Heap memory in MB used by the Data Access Server.

1024

DATASERVER_USE_REGIONAL_ENDPOINT

Set this property to enforce default region for all S3 buckets.

true

DATASERVER_AWS_REGION

Default AWS region for S3 bucket.

us-east-1

Configure access control for AWS S3 using the Data Access Server

You can configure access control for AWS S3 using the Privacera Data Access Server.

Prerequisites

Ensure that the following prerequisites are met:

  • Create and add an AWS IAM Policy to allow access to S3 resources. For instructions, seeAWS Identity and Access Management (IAM) on Privacera Platform. Use either the "Full S3 Access" or "Limited S3 Access" policy templates depending on your enterprise requirements. Return to this section once the Policy is attached to the Privacera Manager Host VM.

Procedure
  1. SSH to the instance where Privacera Manager is installed.

  2. Configure the Privacera Data Access Server.

  3. Edit the configuration properties. For information about the properties, see Data Access Server S3 configuration properties

    vi config/custom-vars/vars.dataserver.aws.yml
    

    Note

  4. Run Privacera Manager update.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

Data Access Server S3 configuration properties

Property

Description

Example

DATASERVER_USE_POD_IAM_ROLE

Property to enable the creation of an IAM role that will be used for the Data Access Server pod.

true

DATASERVER_IAM_POLICY_ARN

Full IAM policy ARN which needs to be attached to the IAM role associated with the Data Access Server pod.

arn:aws:iam::aws:policy/AmazonS3FullAccess

DATASERVER_USE_IAM_ROLE

If you've given permission to an IAM role to access the bucket, enable Use IAM Roles.

DATASERVER_S3_AWS_API_KEY

If you've used a access to access the bucket, disable Use IAM Role, and set the AWS API Key.

AKIAIOSFODNN7EXAMPLE

DATASERVER_S3_AWS_SECRET_KEY

If you've used a secret key to access the bucket, disable Use IAM Role, and set the AWS Secret Key.

wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

DATASERVER_V2_S3_ENDPOINT_ENABLE

Enable to use a custom S3 endpoint.

DATASERVER_V2_S3_ENDPOINT_SSL

Property to enable/disable, if SSL is enabled/disabled on the MinIO server.

DATASERVER_V2_S3_ENDPOINT_HOST

Add the endpoint server host.

192.468.12.142

DATASERVER_V2_S3_ENDPOINT_PORT

Add the endpoint server port.

9000

DATASERVER_AWS_REQUEST_INCLUDE_USERINFO

Property to enable adding session role in CloudWatch logs for requests going via Dataserver.

This will be available with the privacera-user key in the Request Params of CloudWatch logs.

Set to true, if you want to see the privacera-user in CloudWatch.

true

Configure access control for AWS Athena using the Data Access Server

This section covers how you can configure access control for AWS Athena through Privacera Data Access Server.

Prerequisites

Ensure the following prerequisites are met:

  • Create and add an AWS IAM Policy defined to allow rights to use Athena and Glue resources and databases. See AWS Identity and Access Management (IAM) on Privacera Platform for instructions. Use the "Athena Access" policy, modified as necessary for your enterprise. Return to this section once the Policy is attached to the Privacera Manager Host VM.

Procedure
  1. SSH to the instance where Privacera Manager is installed.

  2. Configure the Privacera Data Access Server.

  3. Edit the properties.

    vi config/custom-vars/vars.dataserver.aws.yml
    

    Note

    Along with the above properties, you can add custom properties that are not included by default. For more information about these properties, see Data Access Server S3 configuration properties.

  4. Run Privacera Manager update.

    cd ~/privacera/privacera-manager
    ./privacera-manager.sh update
    

AWS Athena configuration properties

Identify an existing S3 bucket or create one to store the Athena query results.

AWS_ATHENA_RESULT_STORAGE_URL: "s3://<bucket_name>/<folder_path>"

Example URL: s3://bucket-data/athena-query-results