AWS CostExplorer
LHM LHO Application IAM Role will assume an IAM Role in the Databricks Workspace AWS Account with a permission policy to access Cost Explorer data in that AWS Account Id:
...
Trust policy for the IAM_Role_Cost_Explorer that allows the LHM LHO Application IAM Role in the app-host AWS Account to assume the cost explorer role:
| Code Block |
|---|
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<LHO_App_Host_AWS_Account_ID>:role/<LHO_App_IAM_Role>"
},
"Action": "sts:AssumeRole",
}
]
} |
Permissions for cost-tagging NAT and S3
In order to obtain workspace storage and network costs, the LHO should be provided permissions to tag S3 bucket and NAT Gateway associated with the Databricks workspace:
IAM_Role_Cost_Tag_For_S3_And_NAT permission policy:
| Code Block |
|---|
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BplmS3TaggingWkspStorageCostPolicy",
"Effect": "Allow",
"Action": [
"s3:GetBucketTagging",
"s3:PutBucketTagging"
],
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "BplmNatGatewayTaggingPolicy",
"Effect": "Allow",
"Action": [
"ec2:DeleteTags",
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:<Databricks_Wksp_AWS_Account_Id>:natgateway/*",
"arn:aws:ec2:*:<Databricks_Wksp_AWS_Account_Id>:natgateway/*",
"arn:aws:ec2:*:<Databricks_Wksp_AWS_Account_Id>:vpc/*",
"arn:aws:ec2:*:<Databricks_Wksp_AWS_Account_Id>:internet-gateway/*",
"arn:aws:ec2:*:<Databricks_Wksp_AWS_Account_Id>:elastic-ip/*",
"arn:aws:ec2:*:<Databricks_Wksp_AWS_Account_Id>:route-table/*",
"arn:aws:ec2:*:<Databricks_Wksp_AWS_Account_Id>:vpc-endpoint/*"
]
},
{
"Sid": "BplmNatGatewayVpcsTaggingPolicy",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeNatGateways",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeAddresses",
"ec2:DescribeInternetGateways",
"ec2:DescribeRouteTables"
],
"Resource": "*"
}
]
} |
Trust policy for the IAM_Role_Cost_Tag_For_S3_And_NAT that allows the LHO Application IAM Role in the app-host AWS Account to assume the role:
| Code Block |
|---|
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<LHM<LHO_App_Host_AWS_Account_ID>:role/<LHM<LHO_App_IAM_Role>"
},
"Action": "sts:AssumeRole",
}
]
} |
...
LHO application IAM Role permission policy:
| Code Block |
|---|
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AssumeCostExplorerRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<Databricks_Wksp_AWS_Account_Id>:role/<IAM_Role_Cost_Explorer>"
},
{
"Sid": "AssumeS3AndNatTagRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<Databricks_Wksp_AWS_Account_Id>:role/<IAM_Role_Cost_Tag_For_S3_And_NAT>"
}
]
} |
And in the Lakehouse Monitor Optimizer .env config file provide the source role name for cost explorer and tags.
| Code Block |
|---|
CROSS_ACCOUNT_ASSUME_IAM_ROLE_COST_EXPLORER_APP=arn:aws:iam::<Databricks_Wksp_AWS_Account_Id>:role/<IAM_Role_Cost_Explorer>
CROSS_ACCOUNT_ASSUME_IAM_ROLE_TAG_WORKSPACE_RESOURCE_APP=arn:aws:iam::<Databricks_Wksp_AWS_Account_Id>:role/<IAM_Role_Cost_Tag_For_S3_And_NAT> |
In case of multiple AWS accounts hosting cloud resources for Databricks workspaces, you need to provide a comma-separated list of roles, one role for each of them comma-separatedAWS account.