Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Full AWS organization

  2. Full AWS Account where LHM App is hosted

  3. Exactly the IAM Role of the LHM Application in the AWS Account hosting it

    Depending on client security configuration on S3 bucket, two options are available for cross-account access.

    a) Bucket policy and custom KMS key policy: applicable when custom KMS keys are used. The custom key and the bucket must belong to the same AWS region.

    Bucket policy:

...

Code Block
CONSUMPTION_BILLABLE_USAGE_PATH=s3a://<bucket>/<path_prefix>/billable-usage/csv
STORAGE_AWS_S3_REGION=<bucket_region>

b) Using Assume Role for S3: for AWS managed KMS keys

S3 bucket and KMS permission role on AWS account where S3 bucket belongsYou need to create a IAM role in the same AWS account as the S3 bucket with the Databricks billable usage logs. This role requires the following permission policies with access to the S3 bucket and AWS managed KMS key.

Code Block
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3ReadObject",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<bucket>/<path_prefix>/*"
        },
        {
            "Sid": "S3ListBucket",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<bucket>",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "<path_prefix>/*"
                }
            }
        },
        {
            "Sid": "DecryptKMSbucket",
            "Action": [                 "kms:Decrypt"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:kms:<bucket_region>:<s3_aws_account_id>:key/*<ARN_OF_AWS_MANAGED_KMS_KEY_IN_SAME_REGION_AS_BUCKET>"
        }
    ]
}

Trusting policy for the S3 role (only trusting a remote role version, for account-id or PrincipalOrgId, see the examples above):

...

Code Block
CONSUMPTION_BILLABLE_USAGE_PATH=s3a://<bucket>/<path_prefix>/billable-usage/csv
STORAGE_AWS_S3_REGION=<bucket_region>
CROSS_ACCOUNT_ASSUME_IAM_ROLE_S3_DBX_BILLING_APP=arn:aws:iam::<s3_aws_account_id>:role/<s3_dbx_billing_role_name>

DynamoDB and SQS:

...