menu logo
Tabular.io Log In Get Started

IAM Role Mapping

On this page:

Requirements

  1. Security Admin Role Access
  2. IAM Identity (instance credentials, AWS SSO, AWS user credentials, etc.)

Configuring IAM Role Access

Tabular allows you to access your warehouse from any environment where you have AWS credentials available without the need for minted credentials.

IAM identities can be mapped to Tabular roles by a security admin from Connections -> Security.
The mapped IAM identity will operate with the permissions granted to the mapped Tabular role.

Determining your IAM ARN

The ARN used to verify identity will be the format used when operating as that identity. To get the correct value, use the awscli and issue the following command from the environment where you will be running:

$ aws sts get-caller-identity
{
    "UserId": "XXXXXXXXXXXXX:user@acmo.io",
    "Account": "001122334455",
    "Arn": "arn:aws:sts::001122334455:assumed-role/my-service-role/session-name"
}

In the example above, the arn to use would be arn:aws:sts::001122334455:assumed-role/my-service-role (omit the session name).

Supported ARN Formats

arn:aws:iam::account:user/user-name-with-path
arn:aws:iam::account:role/role-name-with-path
arn:aws:iam::account:instance-profile/instance-profile-name-with-path
arn:aws:sts::account:federated-user/user-name
arn:aws:sts::account:assumed-role/role-name/role-session-name

Grant Invoke to your Role

Your IAM Role needs a policy that grants ability to invoke a Lambda function.
This permission is used to verify the identity of the caller. In IAM, associate the AmazonAPIGatewayInvokeFullAccess policy with your role or attach the following policy scoped to the Tabular account:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "execute-api:Invoke"
            ],
            "Resource": "arn:aws:execute-api:*:237881912361:*"
        }
    ]
}

If this permission is not associated with the role, you will receive a message like the following:

{
  "Message":"User: arn:aws:sts::001122334455:assumed-role/my-service-role/session-name is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:********2361:3c13242339/stage-0/GET/ws/v1/config"
}

Verifying Access

To verify access, use the awscurl utility to query the tabular IAM address (replace <region> with the relevant AWS region name – for example, us-west-2, us-east-1, and so on):

> pip install awscurl

> awscurl --region <region> https://iam-gw.<region>.tabular.io/ws/v1/config?warehouse=sandbox

Spark Configuration

(Note: this requires iceberg version 1.2.1+)

spark-defaults.properties

spark.sql.catalog.gw                     org.apache.iceberg.spark.SparkCatalog
spark.sql.catalog.gw.catalog-impl        org.apache.iceberg.rest.RESTCatalog
spark.sql.catalog.gw.uri                 https://iam-gw.<region>.tabular.io/ws
spark.sql.catalog.gw.rest.sigv4-enabled  true
spark.sql.catalog.gw.warehouse           sandbox

Python Configuration

(Note: this requires pyiceberg version 0.4+)

~/.pyiceberg.yaml

default:
  uri: https://iam-gw.<region>.tabular.io/ws/
  rest.sigv4-enabled: true
  warehouse: sandbox  

sandbox:
  uri: https://iam-gw.<region>.tabular.io/ws/
  rest.sigv4-enabled: true
  warehouse: sandbox