Secure connections to AWS

To grant Imply Polaris access to your data in AWS, you establish a trust relationship between your account and Imply's AWS account. An IAM role is an identity with specific permissions that can be assumable by anyone who needs the role. The permissions assigned to the role are defined by IAM policies. For Imply to ingest your data, your AWS IAM role must have the following policies attached to the role:

• A trust policy that specifies which trusted account members are allowed to assume the role.
• A permissions policy that grants the user of the role the needed permissions to carry out the intended tasks on the resource.

The following diagram shows an example of the roles and policies involved in granting Polaris permission to read data from AWS Kinesis streams:

Polaris does not support access to AWS resources using access keys.

See the AWS documentation for more information about roles and cross-account access:

• Role terms and concepts
• Policies and permissions in IAM
• Allow users from another account to access resources in your AWS account

ARN for Polaris connection

When creating a connection to AWS resources, such as an S3 bucket or a Kinesis Data Stream, you provide the ARN of your role for Imply to assume to read and ingest the data. For example, arn:aws:iam:::123456789012:role/demo-role.

Trust policy

To authorize access from Polaris to your AWS data, you must include the ARN of Imply's role to a trust policy attached to your AWS role. Polaris displays the ARN of Imply's role when you create a connection in the UI in the New connection dialog. You can also get the ARN of Imply's role by API.

List the ARN of Imply's role in the Principal field of the trust policy to allow Imply to assume your IAM role.

The following example shows a trust policy that you can add to your IAM role:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::987654321098:role/imply-cluster-3b538a72-844f-4a09-883d-xxxxxxxxxxxx"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

For more information on modifying a role's trust policy, see Modifying a role.

Permissions policy

In a permissions policy that you attach to your IAM role, you list the resources that the role can access and set the level of access by listing the allowable actions. Each AWS service has its own actions, resources, and condition context keys for use in IAM policies. The reference information for Polaris connections lists the required permissions to access each AWS resource.

For more information on creating a permissions policy, see the AWS documentation on Actions, resources, and condition keys for AWS services.