Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Terms:

  • LHM LHO Application Role - a IAM role that is assigned to the EC2 Instance (VM) where the Lakehouse Monitor is deployed, the role allows sts:AssumeRole permission for cross account access or just regular permission policies for resource access.

  • LHM LHO Agent Role - a IAM role that will be assumed by the Databricks Workspace Instance Profile Roles enabled for the Databricks workloads monitored by LHMLHO.

  • LHM Application host AWS Account - AWS account where BPLM the LHO app (VM) is deployed and where DynamoDB and SQS artifacts are also created.

  • Databricks Workspace AWS account - AWS accounts hosting Databricks workspaces

Databricks

...

The S3 bucket storing the billable usage (Databricks consumption data) requires an S3 bucket policy that will specify the scope of access for the LHM Application:

  1. Full AWS organization

  2. Full AWS Account where LHM App is hosted

  3. Exactly the IAM Role of the LHM Application in the AWS Account hosting it

  • Code Block
    # Full AWS organization
    
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "S3ReadObject",
                "Effect": "Allow",
                "Principal": "*",
                "Action": "s3:GetObject",
                "Resource": "arn:aws:s3:::<bucket>/<path_prefix>/*",
                "Condition": {
                    "StringEquals": {
                        "aws:PrincipalOrgID": "<org_id>"
                    }
                }
            },
            {
                "Sid": "S3ListBucket",
                "Effect": "Allow",
                "Principal": "*",
                "Action": "s3:ListBucket",
                "Resource": "arn:aws:s3:::<bucket>",
                "Condition": {
                    "StringEquals": {
                        "aws:PrincipalOrgID": "<org_id>"
                    },
                    "StringLike": {
                        "s3:prefix": "<path_prefix>/*"
                    }
                }
            }
        ]
    }

Code Block
# Full AWS Account where LHM App is hosted
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3ReadObject",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<LHM_App_Host_AWS_Account_Id>:root"            
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<bucket>/<path_prefix>/*"
        },
        {
            "Sid": "S3ListBucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<LHM_App_Host_AWS_Account_Id>:root"            
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<bucket>",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "<path_prefix>/*"
                }
            }
        }
    ]
}

Code Block
# Exactly the IAM Role of the LHM Application in the AWS Account hosting it
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3ReadObject",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<LHM_App_Host_AWS_Account_Id>:role/<c>"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<bucket>/<path_prefix>/*"
        },
        {
            "Sid": "S3ListBucket",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<LHM_App_Host_AWS_Account_Id>:role/<LHM_App_IAM_Role>"            
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<bucket>",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "<path_prefix>/*"
                }
            }
        }
    ]
}

LHM Application IAM Role permission policy:

Code Block
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<bucket>/<path_prefix>/*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<bucket>",
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "<path_prefix>/*"
                    ]
                }
            }
        }
    ]
}

Configuring Lakehouse monitor to read from s3:

Code Block
CONSUMPTION_BILLABLE_USAGE_PATH=s3a://<bucket>/<path_prefix>/billable-usage/csv
STORAGE_AWS_S3_REGION=<bucket_region>

DynamoDB and SQS:

Both the LHM Application and the LHM Agent running in the Databricks workspaces require access to DynamoDB tables and SQS queue that are created in the same AWS account as the LHM application, we will call this the “LHM_App_AWS_Account_Id” in the permission policies below:

Code Block
breakoutModewide
# LHM Agent IAM Role in the application-host AWS account
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "WriteToDynamoDbAndSqs",
            "Effect": "Allow",
            "Action": [
                "dynamodb:BatchWriteItem",
                "dynamodb:PutItem",
                "dynamodb:UpdateItem",
                "sqs:SendMessage"
            ],
            "Resource": [
                "arn:aws:sqs:<optional_region_or_*>:<LHM_App_AWS_Account_Id>:bplm*",
                "arn:aws:dynamodb:<optional_region_or_*>:<LHM_App_AWS_Account_Id>:table/bplm*"
            ]
        }
    ]
}

# LHM Application (VM) IAM Role in the application-host AWS account:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DynamoAndSQS",
            "Effect": "Allow",
            "Action": [
                "sqs:DeleteMessage",
                "dynamodb:CreateTable",
                "sqs:GetQueueUrl",
                "dynamodb:UpdateTimeToLive",
                "dynamodb:DescribeTable",
                "sqs:ReceiveMessage",
                "dynamodb:Scan",
                "dynamodb:Query",
                "sqs:CreateQueue"
            ],
            "Resource": [
                "arn:aws:sqs:<optional_source_region_or_*>:<LHM_App_AWS_Account_Id>:bplm*",
                "arn:aws:dynamodb:<optional_source_region_or_*>:<LHM_App_AWS_Account_Id>:table/bplm*"
            ]
        }
    ]
}

For Trusting Policy, see Source Role Trusting policy ... above.

Trust policy for the LHM Agent IAM Role in the application-host AWS account:

DynamoDb tables and SQS queue are accessed by LHM agents running on multiple AWS accounts hosting Dbx workspaces:

Code Block
# LHM Agent IAM Role fully trusts a list of AWS accounts
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                  "arn:aws:iam::<Dbx_Workspace_AWS_Account1_id>:root",
                  "arn:aws:iam::<Dbx_Workspace_AWS_Account2_id>:root",
                  ...
                ]          
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

or

# LHM Agent IAM Role trusts a Databricks workspace Instance Profile IAM Role 
# in a particular AWS account

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<Dbx_Workspace_AWS_Account>:role/<Dbx_Wksp_Instance_Profile_IAM_Role>"
            },
            "Action": "sts:AssumeRole",
        }
    ]
}

Permission policy for the Databricks Workspace Instance Profile Roles that will assume the LHM_Agent_IAM_Role:

(see more info here: instance profile)

Code Block
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<LHM_App_Host_AWS_Account_ID_or_*>:role/<LHM_Agent_IAM_Role>"
        }
    ]
}

And in the Lakehouse Monitor .env config file provide the AWS account ID and IAM Role name for the LHM agent that will be shipped to each monitored Databricks workspace:

Note that the AWS account ID of the LHM Agent, DynamoDB, SQS and LHM Application (VM) has the same value of LHM_App_Host_AWS_Account_ID

Code Block
CROSS_ACCOUNT_ASSUME_IAM_ROLE_AGENT=arn:aws:iam::<LHM_App_Host_AWS_Account_ID>:role/<LHM_Agent_IAM_Role>
STORAGE_AWS_REGION=<dynamodb_and_sqs_region>

AWS CostExplorer

LHM Application IAM Role will assume a IAM Role in the Databricks Workspace AWS Account with a permission policy to access Cost Explorer data in that AWS Account Id:

IAM_Role_Cost_Explorer permission policy:

Code Block
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowGetCostAndUsages",
            "Effect": "Allow",
            "Action": "ce:GetCostAndUsage",
            "Resource": "*"
        }
    ]
}

Trust policy for the IAM_Role_Cost_Explorer that allows the LHM Application IAM Role in the app-host AWS Account to assume the cost explorer role:

Code Block
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<LHM_App_Host_AWS_Account_ID>:role/<LHM_App_IAM_Role>"
            },
            "Action": "sts:AssumeRole",
        }
    ]
}

LHM application IAM Role permission policy:

Code Block
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AssumeCostExplorerRole",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<Databricks_Wksp_AWS_Account_Id>:role/<IAM_Role_Cost_Explorer>"
        }
    ]
}

And in the Lakehouse Monitor .env config file provide the source role name for cost explorer

...

costs

Cloud Costs via AWS CostExplorer

DynamoDB and SQS