Requirements
- Security Admin Role Access
- IAM Identity (instance credentials, AWS SSO, AWS user credentials, etc.)
Configuring IAM Role Access
Tabular allows you to access your warehouse from any environment where you have AWS credentials available without the need for minted credentials.
IAM identities can be mapped to Tabular roles by a security admin from Connections -> Security
.
The mapped IAM identity will operate with the permissions granted to the mapped Tabular role.
Determining your IAM ARN
The ARN used to verify identity will be the format used when operating as that identity. To get the correct value, use the awscli and issue the following command from the environment where you will be running:
$ aws sts get-caller-identity
{
"UserId": "XXXXXXXXXXXXX:user@acmo.io",
"Account": "001122334455",
"Arn": "arn:aws:sts::001122334455:assumed-role/my-service-role/session-name"
}
In the example above, the arn to use would be arn:aws:sts::001122334455:assumed-role/my-service-role
(omit the session name).
Supported ARN Formats
arn:aws:iam::account:user/user-name-with-path
arn:aws:iam::account:role/role-name-with-path
arn:aws:iam::account:instance-profile/instance-profile-name-with-path
arn:aws:sts::account:federated-user/user-name
arn:aws:sts::account:assumed-role/role-name/role-session-name
Grant Invoke to your Role
Your IAM Role needs a policy that grants ability to invoke a Lambda function.
This permission is used to verify the identity of the caller. In IAM, associate
the AmazonAPIGatewayInvokeFullAccess
policy with your role or attach the following
policy scoped to the Tabular account:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": "arn:aws:execute-api:*:237881912361:*"
}
]
}
If this permission is not associated with the role, you will receive a message like the following:
{
"Message":"User: arn:aws:sts::001122334455:assumed-role/my-service-role/session-name is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:********2361:3c13242339/stage-0/GET/ws/v1/config"
}
Verifying Access
To verify access, use the awscurl
utility to query the tabular IAM address:
> pip install awscurl
> awscurl awscurl https://iam-gw.tabular.io/ws/v1/config?warehouse=sandbox
Spark Configuration
(Note: this requires iceberg
version 1.2.1+
)
spark-defaults.properties
spark.sql.catalog.gw org.apache.iceberg.spark.SparkCatalog
spark.sql.catalog.gw.catalog-impl org.apache.iceberg.rest.RESTCatalog
spark.sql.catalog.gw.uri https://iam-gw.tabular.io/ws
spark.sql.catalog.gw.rest.sigv4-enabled true
spark.sql.catalog.gw.warehouse sandbox
Python Configuration
(Note: this requires pyiceberg
version 0.4+
)
~/.pyiceberg.yaml
default:
uri: https://iam-gw.tabular.io/ws/
rest.sigv4-enabled: true
warehouse: sandbox
sandbox:
uri: https://iam-gw.tabular.io/ws/
rest.sigv4-enabled: true
warehouse: sandbox