AWS CostExplorer
LHM Application IAM Role will assume an IAM Role in the Databricks Workspace AWS Account with a permission policy to access Cost Explorer data in that AWS Account Id:
IAM_Role_Cost_Explorer permission policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowGetCostAndUsages", "Effect": "Allow", "Action": "ce:GetCostAndUsage", "Resource": "*" } ] }
Trust policy for the IAM_Role_Cost_Explorer that allows the LHO Application IAM Role in the app-host AWS Account to assume the cost explorer role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<LHM_App_Host_AWS_Account_ID>:role/<LHM_App_IAM_Role>" }, "Action": "sts:AssumeRole", } ] }
LHO application IAM Role permission policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AssumeCostExplorerRole", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<Databricks_Wksp_AWS_Account_Id>:role/<IAM_Role_Cost_Explorer>" } ] }
And in the Lakehouse Monitor .env config file provide the source role name for cost explorer.
CROSS_ACCOUNT_ASSUME_IAM_ROLE_COST_EXPLORER_APP=arn:aws:iam::<Databricks_Wksp_AWS_Account_Id>:role/<IAM_Role_Cost_Explorer>
In case of multiple AWS accounts hosting cloud resources for Databricks workspaces, you need to provide a role for each of them comma-separated.
Add Comment