Skip to main content
Ryft accesses metadata through a single IAM Role. Use CloudFormation / Terraform or create the role manually.

Option A: Create IAM Role with CloudFormation / Terraform

For the simplest integration, we recommend using our CloudFormation template to create the role. Click here to launch the CloudFormation template.
  • Make sure to enter the External ID provided to you by Ryft.
  • Before launching the stack, make sure to log in to the AWS account where you want to create the access role.
  • To disable Glue access, set EnableGlueAccess to false.
  • To disable Athena access, set EnableAthenaAccess to false.

Option B: Create the IAM Role manually

  1. Login to your AWS account
  2. Security → Identity & Compliance → IAM → Roles
  3. Click Create Role
  4. Select AWS Account
  5. Select Another AWS Account
  6. Enter Ryft’s AWS account ID: 864981746572
  7. Enable Require External ID, and enter the External ID received from Ryft
  8. For permissions, we are going to create the policies in the next steps
  9. Give the role a name, e.g - Ryft-ControlPlaneRole
  10. Click Create Role

AWS Policies

AWS S3

  1. IAM → Roles → Search for “Ryft-ControlPlaneRole” (or the name you used)
  2. Add permissions → Create inline policy → Select the JSON tab
  3. Add the following policy to provide Glue API access
  4. Give the policy a name and save it (e.g - RyftS3AccessPolicy)
  5. Attach the created policy to the Ryft-ControlPlaneRole
{
    "Version": "2012-10-17",
    "Statement": [
      {
          "Version": "2012-10-17",
          "Statement": [
            {
      	      "Sid": "AllowS3MetadataAccess",
      	      "Effect": "Allow",
      	      "Action": [
      	          "s3:GetObject"
      	      ],
      	      "Resource": [
      	          "arn:aws:s3:::<bucket>/*/metadata/*"
      	      ]
            },
            {
      	      "Sid": "AllowListBucket",
      	      "Effect": "Allow",
      	      "Action": [
      	          "s3:ListBucket"
      	      ],
      	      "Resource": [
      	          "arn:aws:s3:::<bucket>"
      	      ]
            }
          ]
      }
    ]
}

AWS Glue

  1. IAM → Roles → Search for “Ryft-ControlPlaneRole” (or the name you used)
  2. Add permissions → Create inline policy → Select the JSON tab
  3. Add the following policy to provide Glue API access
  4. Give the policy a name and save it (e.g - RyftGlueAccessPolicy)
  5. Attach the created policy to the Ryft-ControlPlaneRole
{
    "Version": "2012-10-17",
    "Statement": [
      {
          "Version": "2012-10-17",
          "Statement": [
            {
      	      "Sid": "AllowGlueCatalogTableAccess",
      	      "Effect": "Allow",
      	      "Action": [
      	          "glue:GetTable",
      	          "glue:GetTables",
      	          "glue:GetDatabase",
      	          "glue:GetDatabases",
                  "glue:GetCatalog",
                  "glue:GetCatalogs"
      	      ],
      	      "Resource": [
      	          "arn:aws:glue:<region>:<account>:table/*/*",
      	          "arn:aws:glue:<region>:<account>:catalog",
      	          "arn:aws:glue:<region>:<account>:catalog/*",
      	          "arn:aws:glue:<region>:<account>:database/*"
      	      ]
            }
          ]
      }
    ]
}

AWS Athena

  1. IAM → Roles → Search for “Ryft-ControlPlaneRole” (or the name you used)
  2. Add permissions → Create inline policy → Select the JSON tab
  3. Add the following policy to provide Athena API access
  4. Name the policy “Ryft-AthenaMetadataAccess”
  5. Attach the created policy to the Ryft-ControlPlaneRole
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Ryft-AthenaMetadataAccess",
            "Effect": "Allow",
            "Action": [
                "athena:ListWorkGroups",
                "athena:GetWorkGroup",
                "athena:GetQueryExecution",
                "athena:GetQueryRuntimeStatistics",
                "athena:BatchGetQueryExecution",
                "athena:ListQueryExecutions",
                "athena:ListDataCatalogs",
                "athena:GetDataCatalog"
            ],
            "Resource": "*"
        }
    ]
}
You are done! Locate the ARN of the role you have just created (”Ryft-ControlPlaneRole”) and provide it to Ryft, we will now finish setting up the integration. The ARN should look similar to: arn:aws:iam::<account>:role/Ryft-ControlPlaneRole

Glue Metadata Encryption

If you are using Glue Metadata Encryption, ensure that the role you created above has the necessary KMS permissions to the encryption key as well. 
{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
            "kms:Decrypt",
            "kms:Encrypt",
            "kms:GenerateDataKey"
        ],
        "Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id"
      }
    ]
}

AWS Lake Formation

If you are using AWS Lake Formation to manage access to your Glue Catalog, ensure that the role you created above has the necessary Lake Formation permissions as well. Follow the AWS documentation here to grant the required permissions to the role.

Amazon S3 Access Points

If you are using Amazon S3 Access Points as the storage location for your tables, ensure that the role you created above has the necessary permissions for the access point. The policy for access points should include the same S3 actions mentioned above, with the resource in the format of arn:aws:s3:<region>:<account_id>::accesspoint/<access_point_name>. For more details, see AWS documentation here.