• Developer guide
  • API reference

›Secure networking

Getting started

  • Introduction to Imply Polaris
  • Quickstart
  • Navigate the console
  • Key concepts

Ingestion sources

  • Ingestion sources overview
  • Supported data formats
  • Create a connection
  • Ingest from files
  • Ingest from S3
  • Ingest from Kinesis
  • Ingest from Confluent Cloud
  • Kafka Connector for Imply Polaris
  • Push event data

Tables and data

  • Overview
  • Introduction to tables
  • Table schema
  • Create an ingestion job
  • Timestamp expressions
  • Data partitioning
  • Introduction to rollup
  • Approximation algorithms
  • Replace data

Analytics

  • Overview
  • Manage data cubes
  • Visualize data
  • Data cube dimensions
  • Data cube measures
  • Dashboards
  • Create a dashboard
  • Visualizations reference
  • Set up alerts
  • Set up reports
  • Embed visualizations
  • Query data

Monitoring

  • Overview

Management

  • Overview
  • Pause and resume a project

Billing

  • Overview
  • Polaris plans
  • Estimate project costs

Usage

  • Overview

Security

    Polaris access

    • Overview
    • Invite users to your organization
    • Permissions reference
    • Manage user groups
    • Enable SSO
    • SSO settings reference
    • Map IdP groups

    Secure networking

    • Connect to AWS

Developer guide

  • Overview
  • Authentication

    • Overview
    • Authenticate with API keys
    • Authenticate with OAuth
  • Manage users and groups
  • Migrate deprecated resources
  • Create a table
  • Define a schema
  • Upload files
  • Create an ingestion job
  • Ingestion sources

    • Ingest from files
    • Ingest from a table
    • Get ARN for AWS access
    • Ingest from Amazon S3
    • Ingest from Amazon Kinesis
    • Ingest from Confluent Cloud
    • Push event data
    • Kafka Connector for Imply Polaris
    • Kafka Connector reference
  • Filter data to ingest
  • Ingest nested data
  • Ingest and query sketches
  • Query data
  • Update a project
  • Link to BI tools
  • Connect over JDBC
  • Query parameters reference
  • API documentation

    • OpenAPI reference
    • Query API

Product info

  • Release notes
  • Known limitations
  • Druid extensions

Secure connections to AWS

To grant Imply Polaris access to your data in AWS, you establish a trust relationship between your account and Imply's AWS account. An IAM role is an identity with specific permissions that can be assumable by anyone who needs the role. The permissions assigned to the role are defined by IAM policies. For Imply to ingest your data, your AWS IAM role must have the following policies attached to the role:

  • A trust policy that specifies which trusted account members are allowed to assume the role.
  • A permissions policy that grants the user of the role the needed permissions to carry out the intended tasks on the resource.

The following diagram shows an example of the roles and policies involved in granting Polaris permission to read data from AWS Kinesis streams:

Roles for Kinesis connection

Polaris does not support access to AWS resources using access keys.

See the AWS documentation for more information about roles and cross-account access:

  • Role terms and concepts
  • Policies and permissions in IAM
  • Allow users from another account to access resources in your AWS account

ARN for Polaris connection

When creating a connection to AWS resources, such as an S3 bucket or a Kinesis Data Stream, you provide the ARN of your role for Imply to assume to read and ingest the data. For example, arn:aws:iam:::123456789012:role/demo-role.

Trust policy

To authorize access from Polaris to your AWS data, you must include the ARN of Imply's role to a trust policy attached to your AWS role. Polaris displays the ARN of Imply's role when you create a connection in the UI in the New connection dialog. You can also get the ARN of Imply's role by API.

List the ARN of Imply's role in the Principal field of the trust policy to allow Imply to assume your IAM role.

The following example shows a trust policy that you can add to your IAM role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::987654321098:role/imply-cluster-3b538a72-844f-4a09-883d-xxxxxxxxxxxx"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

For more information on modifying a role's trust policy, see Modifying a role.

Permissions policy

In a permissions policy that you attach to your IAM role, you list the resources that the role can access and set the level of access by listing the allowable actions. Each AWS service has its own actions, resources, and condition context keys for use in IAM policies. The reference information for Polaris connections lists the required permissions to access each AWS resource.

For more information on creating a permissions policy, see the AWS documentation on Actions, resources, and condition keys for AWS services.

← Map IdP groupsOverview →
  • ARN for Polaris connection
  • Trust policy
  • Permissions policy
Key links
Try ImplyApache Druid siteImply GitHub
Get help
Stack OverflowSupportContact us
Learn more
BlogApache Druid docs
Copyright © 2023 Imply Data, Inc