Single AWS Account access policies for LHO
- Claudiu Barbura
- Vladimir Tikhonov
- Denis Pitul
- Ciprian LUCACI
Owned by Claudiu Barbura
This policies are required by Lakehouse Optimizer App being deployed on an AWS EC2 instance running on same AWS account where monitored Databricks Workspaces belong to.
Instance Profile IAM Role (of the LHO Application VM) with at least the following policies assigned:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BplmAWSCostReader",
"Effect": "Allow",
"Action": "ce:GetCostAndUsage",
"Resource": "*"
}
]
}
Allow Read of created secret
You will need to update this policy definition with your aws account ID and secret name.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BplmSecretsReader",
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:*:{AWS Account ID}:secret:{SecretNameHere}*"
}
]
}
Allow management of DynamoDB and Simple Queue Service
You will need to update this policy definition with your aws account ID.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BplmDynamoPolicy",
"Effect": "Allow",
"Action": [
"dynamodb:CreateTable",
"dynamodb:UpdateTable",
"dynamodb:UpdateTimeToLive",
"dynamodb:DescribeTable",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:BatchGetItem"
],
"Resource": [
"arn:aws:dynamodb:*:{AWS Account ID}:table/*bplm*"
]
},
{
"Sid": "BplmSqsPolicy",
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:GetQueueUrl",
"sqs:ReceiveMessage",
"sqs:CreateQueue"
],
"Resource": [
"arn:aws:sqs:*:{AWS Account ID}:*bplm*"
]
}
]
}
Allow s3 bucket tag get\set used for reporting workspace storage cost
Allow EC2 tag management for reporting workspace Nat Gateway costs
Delivered billable usage logs: