Skip to main content

Update Ahana AWS IAM Policies

When your Ahana Compute Plane was set up, an AWS IAM role and policies were created in your AWS account to provision the Compute Plane and allow that role to create Presto clusters and related activities.

info

The contents of the policies are available at Ahana AWS IAM Policies.

To view the current Ahana AWS IAM policies in Ahana, View the AWS Policies in Ahana.

For information about the role, see Ahana Provisioning Role.

Since the time that the IAM policies were created in your AWS account, they might have drifted out of sync with the state that Ahana Cloud expects. Why?

  • Ahana may have updated its IAM policies to support new features, improve security, or align with AWS changes.

  • It’s possible that someone in your organization changed the Ahana IAM policies.

    tip

    Ahana recommends against editing these IAM policies because the features that Ahana provides could be affected. If you have a specific need to alter the Ahana IAM policies, work with your Ahana representative or Contact Ahana Support to discuss the potential impact of any changes.

If those policies in the user’s AWS account do not match the policies that Ahana currently expects, this banner appears in the Ahana Console in Account Settings:

New IAM Policies banner

Update AWS Policies

Perform these steps to

  • identify which update method to use
  • follow the appropriate steps to update the IAM policies

Identify Which Update Method to Use

The Compute Plane might have been provisioned using CloudFormation templates, or provisioned manually. How the Compute Plane was provisioned determines which method to update the IAM policies. To identify how the Compute Plane was provisioned and which update method to use:

  1. Log in to Ahana.
  2. In the upper right, select the account name, then select Account Settings.
  3. At the right end of Role ARN, select the Launch icon to open the AWS Console.
  4. In Permissions policies, find the Operations AWS Policy attached to the role. The recommended name of the Operations AWS Policy is ahana-cloud-operations-policy, but that name is not required.

Update AWS Policies Using CloudFormation

  1. In Ahana:
    1. In Role ARN, identify the role name to the right of the /. For example, ahana-cloud-provisioning-role.
    2. Note the AWS Region.
  2. In the New IAM Policies banner:
    1. Select Copy S3 URL.
    2. Select Open CloudFormation.
  3. In AWS Cloudformation, confirm that the AWS Console displays the same AWS Region that was shown in Ahana.
  4. Select the stack name that matches the role name in Role ARN in Ahana.
  5. Select Update.
  6. Select Replace current template, then select Amazon S3 URL.
  7. In Amazon S3 URL, enter the URL that was copied from Copy S3 URL in the Ahana New IAM Policies banner.
  8. Select Next, Next, Next.
  9. In AWS, select the checkbox I acknowledge that AWS CloudFormation might create IAM resources with custom names, then select Update Stack.
  10. When the stack displays UPDATE_COMPLETE, return to Ahana.
  11. In Ahana, in the New IAM Policies banner, select Verify IAM Update. When the banner is not displayed, the policies are in sync with Ahana’s and the task succeeded.

Update AWS Policies Manually

  1. In Ahana, at the right end of Role ARN, select the Launch icon to open the AWS Console and display the IAM Role. There should be two policies attached to the Role: one for infrastructure and one for operations. IAM Role with managed Operations policy

  2. In Permissions policies, select the Operations AWS Policy attached to the role. The recommended name of the Operations AWS Policy is ahana-cloud-operations-policy, but that name is not required.

  3. To update the selected policy, perform the following steps:

    1. In Ahana, select Copy Policy for the policy that you are updating.
    2. In AWS, select Edit Policy.
    3. Select JSON.
    4. In the policy editor, delete the contents and enter the policy copied from Ahana.
    5. Select Review Policy.
    6. Select Save Changes.
    7. In Ahana, in the New IAM Policies banner, select Verify IAM Update. If the banner disappears the task was successful.
  4. To update the Core Infrastructure AWS Policy, select the infrastructure policy and then perform the steps in step 3. The recommended name of the Core Infrastructure AWS Policy is ahana-cloud-infrastructure-policy, but that name is not required.

    note

    If the Core Infrastructure AWS Policy is not present, skip this step. See Detached Core Infrastructure AWS Policy.

  5. To update the Permission Boundary AWS Policy:

    1. Select Policies in the left sidebar.
    2. Select the policy named ahana-cloud-boundary-policy, then perform the steps in step 3.