Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

AWS CostExplorer

LHM Application IAM Role will assume an IAM Role in the Databricks Workspace AWS Account with a permission policy to access Cost Explorer data in that AWS Account Id:

IAM_Role_Cost_Explorer permission policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowGetCostAndUsages",
            "Effect": "Allow",
            "Action": "ce:GetCostAndUsage",
            "Resource": "*"
        }
    ]
}

Trust policy for the IAM_Role_Cost_Explorer that allows the LHM Application IAM Role in the app-host AWS Account to assume the cost explorer role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<LHM_App_Host_AWS_Account_ID>:role/<LHM_App_IAM_Role>"
            },
            "Action": "sts:AssumeRole",
        }
    ]
}

LHM application IAM Role permission policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AssumeCostExplorerRole",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<Databricks_Wksp_AWS_Account_Id>:role/<IAM_Role_Cost_Explorer>"
        }
    ]
}

And in the Lakehouse Monitor .env config file provide the source role name for cost explorer. 

CROSS_ACCOUNT_ASSUME_IAM_ROLE_COST_EXPLORER_APP=arn:aws:iam::<Databricks_Wksp_AWS_Account_Id>:role/<IAM_Role_Cost_Explorer>

In case of multiple AWS accounts hosting cloud resources for Databricks workspaces, you need to provide a role for each of them comma-separated.

  • No labels

0 Comments

You are not logged in. Any changes you make will be marked as anonymous. You may want to Log In if you already have an account.