Skip to content

Added databricks labs ucx save-aws-iam-profiles command to scan instance profiles identify S3 access and save a CSV with permissions#817

Merged
nfx merged 41 commits intomainfrom
feature/aws-instance-profiles
Jan 23, 2024
Merged

Added databricks labs ucx save-aws-iam-profiles command to scan instance profiles identify S3 access and save a CSV with permissions#817
nfx merged 41 commits intomainfrom
feature/aws-instance-profiles

Conversation

@FastLee
Copy link
Copy Markdown
Contributor

@FastLee FastLee commented Jan 19, 2024
edited
Loading

Changes

CLI command to scan service principals and link to all the S3 buckets they have access to.
Genererates a CSV file.

The CSV File has the following format:

instance_profile_arn,resource_type,privilege,resource_path,iam_role_arn
arn:aws:iam::12345:instance-profile/role1,s3,READ_FILES,s3://bucket1,arn:aws:iam::12345:role/role1
arn:aws:iam::12345:instance-profile/role1,s3,READ_FILES,s3a://bucket1,arn:aws:iam::12345:role/role1
arn:aws:iam::12345:instance-profile/role1,s3,READ_FILES,s3://bucket2,arn:aws:iam::12345:role/role1
arn:aws:iam::12345:instance-profile/role1,s3,READ_FILES,s3a://bucket2,arn:aws:iam::12345:role/role1

The command relies on AWS CLI Command and require the user to setup and configure it.
Requires a working setup of AWS CLI.
AWS CLI
The command saves a CSV to the UCX installation folder with the mapping.

The user has to be authenticated with AWS and the have the permissions to browse the resources and iam services.
More information can be found here:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions-required.html

Linked issues

closes #338

Functionality

  • added relevant user documentation
  • added new CLI command
  • modified existing command: databricks labs ucx ...
  • added a new workflow
  • modified existing workflow: ...
  • added a new table
  • modified existing table: ...

Tests

  • manually tested
  • added unit tests
  • added integration tests
  • verified on staging environment (screenshot attached)

@codecov
Copy link
Copy Markdown

codecov bot commented Jan 19, 2024
edited
Loading

Codecov Report

Attention: 31 lines in your changes are missing coverage. Please review.

Comparison is base (e36db5f) 85.39% compared to head (5cfdd8a) 85.39%.

Files Patch % Lines
src/databricks/labs/ucx/assessment/aws.py 89.83% 9 Missing and 10 partials ⚠️
src/databricks/labs/ucx/cli.py 57.14% 11 Missing and 1 partial ⚠️
Additional details and impacted files 
@@           Coverage Diff            @@
##             main     #817    +/-   ##
========================================
  Coverage   85.39%   85.39%            
========================================
  Files          40       41     +1     
  Lines        5031     5246   +215     
  Branches      921      965    +44     
========================================
+ Hits         4296     4480   +184     
- Misses        523      543    +20     
- Partials      212      223    +11

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

nfx
nfx requested changes Jan 19, 2024
View reviewed changes
@FastLee FastLee requested a review from nfx January 19, 2024 20:50
nfx
nfx requested changes Jan 20, 2024
View reviewed changes
@nfx nfx marked this pull request as ready for review January 20, 2024 11:13
@nfx nfx requested review from a team and tnguyen-db January 20, 2024 11:13
dmoore247
dmoore247 previously requested changes Jan 20, 2024
View reviewed changes
@FastLee FastLee force-pushed the feature/aws-instance-profiles branch from 73216f5 to cd41add Compare January 20, 2024 16:40
@FastLee FastLee requested a review from dmoore247 January 20, 2024 21:50
@FastLee FastLee requested a review from nfx January 20, 2024 22:42
nfx
nfx requested changes Jan 20, 2024
View reviewed changes
@FastLee FastLee force-pushed the feature/aws-instance-profiles branch from a941fb9 to df5864b Compare January 22, 2024 21:49
@FastLee FastLee enabled auto-merge January 23, 2024 15:51
@FastLee FastLee dismissed dmoore247’s stale review January 23, 2024 16:36

All changes were implemented

@nfx nfx disabled auto-merge January 23, 2024 16:48
@nfx nfx merged commit d4abc27 into main Jan 23, 2024
@nfx nfx deleted the feature/aws-instance-profiles branch January 23, 2024 16:48
nfx added a commit that referenced this pull request Jan 26, 2024
@nfx
Release v0.11.0
f195a43 
* Added `databricks labs ucx alias` command to create a view of tables from one schema/catalog in another schema/catalog ([#837](#837)).
* Added `databricks labs ucx save-aws-iam-profiles` command to scan instance profiles identify AWS S3 access and save a CSV with permissions ([#817](#817)).
* Added total view counts in the assessment dashboard ([#834](#834)).
* Cleaned up `assess_jobs` and `assess_clusters` tasks in the `assessment` workflow to improve testing and reduce redundancy.([#825](#825)).
* Added documentation for the assessment report ([#806](#806)).
* Fixed escaping for SQL object names ([#836](#836)).

Dependency updates:

 * Updated databricks-sdk requirement from ~=0.17.0 to ~=0.18.0 ([#832](#832)).
@nfx nfx mentioned this pull request Jan 26, 2024
Merged
nfx added a commit that referenced this pull request Jan 26, 2024
@nfx
Release v0.11.0 (#848)
606dd72 
* Added `databricks labs ucx alias` command to create a view of tables
from one schema/catalog in another schema/catalog
([#837](#837)).
* Added `databricks labs ucx save-aws-iam-profiles` command to scan
instance profiles identify AWS S3 access and save a CSV with permissions
([#817](#817)).
* Added total view counts in the assessment dashboard
([#834](#834)).
* Cleaned up `assess_jobs` and `assess_clusters` tasks in the
`assessment` workflow to improve testing and reduce
redundancy.([#825](#825)).
* Added documentation for the assessment report
([#806](#806)).
* Fixed escaping for SQL object names
([#836](#836)).

Dependency updates:

* Updated databricks-sdk requirement from ~=0.17.0 to ~=0.18.0
([#832](#832)).
@nfx nfx mentioned this pull request Jan 30, 2024
Closed
1 task
dmoore247 pushed a commit that referenced this pull request Mar 23, 2024
@FastLee @nfx @dmoore247
Added databricks labs ucx save-aws-iam-profiles command to scan ins…
92d02af 
…tance profiles identify S3 access and save a CSV with permissions (#817)

## Changes
CLI command to scan service principals and link to all the S3 buckets
they have access to.
Genererates a CSV file.

The CSV File has the following format:

```
instance_profile_arn,resource_type,privilege,resource_path,iam_role_arn
arn:aws:iam::12345:instance-profile/role1,s3,READ_FILES,s3://bucket1,arn:aws:iam::12345:role/role1
arn:aws:iam::12345:instance-profile/role1,s3,READ_FILES,s3a://bucket1,arn:aws:iam::12345:role/role1
arn:aws:iam::12345:instance-profile/role1,s3,READ_FILES,s3://bucket2,arn:aws:iam::12345:role/role1
arn:aws:iam::12345:instance-profile/role1,s3,READ_FILES,s3a://bucket2,arn:aws:iam::12345:role/role1

```

The command relies on AWS CLI Command and require the user to setup and
configure it.
Requires a working setup of AWS CLI.
[AWS CLI](https://aws.amazon.com/cli/)
The command saves a CSV to the UCX installation folder with the mapping.

The user has to be authenticated with AWS and the have the permissions
to browse the resources and iam services.
More information can be found here:

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions-required.html





### Linked issues
closes #338 


### Functionality 

- [ ] added relevant user documentation
- [x] added new CLI command
- [ ] modified existing command: `databricks labs ucx ...`
- [ ] added a new workflow
- [ ] modified existing workflow: `...`
- [ ] added a new table
- [ ] modified existing table: `...`

### Tests
<!-- How is this tested? Please see the checklist below and also
describe any other relevant tests -->

- [x] manually tested
- [x] added unit tests
- [ ] added integration tests
- [ ] verified on staging environment (screenshot attached)

---------

Co-authored-by: Serge Smertin <[email protected]>
dmoore247 pushed a commit that referenced this pull request Mar 23, 2024
@nfx @dmoore247
Release v0.11.0 (#848)
cc95dfc 
* Added `databricks labs ucx alias` command to create a view of tables
from one schema/catalog in another schema/catalog
([#837](#837)).
* Added `databricks labs ucx save-aws-iam-profiles` command to scan
instance profiles identify AWS S3 access and save a CSV with permissions
([#817](#817)).
* Added total view counts in the assessment dashboard
([#834](#834)).
* Cleaned up `assess_jobs` and `assess_clusters` tasks in the
`assessment` workflow to improve testing and reduce
redundancy.([#825](#825)).
* Added documentation for the assessment report
([#806](#806)).
* Fixed escaping for SQL object names
([#836](#836)).

Dependency updates:

* Updated databricks-sdk requirement from ~=0.17.0 to ~=0.18.0
([#832](#832)).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nfx nfx nfx approved these changes

@tnguyen-db tnguyen-db Awaiting requested review from tnguyen-db

@dmoore247 dmoore247 Awaiting requested review from dmoore247

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Report AWS Instance Profile to UC Storage Credentials (via query)

3 participants

@FastLee @nfx @dmoore247