AWS S3 object storage
AWS S3 object storage¶
You can configure DataRobot to use AWS S3 for object storage, which is the recommended setup for DataRobot on EKS. See the Object Storage Configuration section for the required settings.
In addition to the DataRobot configuration, the EKS IRSA role needs a policy that allows it to read from and write to the cluster's S3 bucket.
The policy below allows the EKS IRSA role to read from and write to the designated S3 bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessToProduction",
"Effect": "Allow",
"Action": [
"s3:DeleteObject",
"s3:Get*",
"s3:PutObject",
"s3:ReplicateDelete",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::DATAROBOT_S3_BUCKET/*"
]
},
{
"Sid": "AllowListBucketsProduction",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:ListAllMyBuckets"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
Note
Replace DATAROBOT_S3_BUCKET with your DataRobot S3 bucket name.
AWS S3 object storage with KMS encryption¶
If the AWS S3 bucket is configured with a customer-managed AWS Key Management Service (KMS) key, the AWS IRSA role must also be allowed to use the KMS key. You must set this permission in the Key Policy on the relevant KMS key.
The following example Key Policy excerpt allows an AWS IRSA role to use the KMS key for encryption and decryption:
{
"Sid": "Allow use of the key",
"Principal": {
"AWS": [
"arn:aws:iam::AWS_ACCOUNT_NUMBER:role/AWS_IRSA_ROLE_NAME"
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
Note
- Replace
AWS_ACCOUNT_NUMBERwith your AWS account ID. - Replace
AWS_IRSA_ROLE_NAMEwith your AWSIRSArole name.
For information on configuring DataRobot to use a KMS key, consult the "Server-side encryption settings" section of Object Storage Configuration.