Skip to content

Automate RLS dataset cretion #373

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 12 commits into
base: main
Choose a base branch
from
Open

Automate RLS dataset cretion #373

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
e4a74dd
WIP: automatic creation of dataset
Jun 30, 2025
d742fcf
WIP: small fixes
Jun 30, 2025
ad70ee1
Update rls/deploy/deploy_cid_rls.yaml
vmindru Jun 30, 2025
b7aeca0
Update rls/deploy/deploy_cid_rls.yaml
vmindru Jun 30, 2025
4de25ec
Update rls/deploy/deploy_cid_rls.yaml
vmindru Jun 30, 2025
351db7b
WIP: Update Readme
Jun 30, 2025
ca2d91b
WIP: Split params into groups, add conditional for lambda resources d…
Jun 30, 2025
467208d
typo fix
Jun 30, 2025
6eba5d1
WIP: small fixes
Jun 30, 2025
2ef6d83
WIP: small fixes, rename RLS lambda
Jun 30, 2025
8b0edd6
Add option to Athena serder to ignore first header line
Jul 1, 2025
ac198ef
Fix name
Jul 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
119 changes: 14 additions & 105 deletions rls/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,29 +1,16 @@
# RLS generator for QuickSight
# QuickSight RLS

## About QS RLS generator
Generate RLS csv file for QuickSight based on AWS Organizational Units.

[About QuickSight RLS](https://docs.aws.amazon.com/quicksight/latest/user/restrict-access-to-a-data-set-using-row-level-security.html)
[About AWS Organizational Unit ](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html)
This cloudformation will deploy Lambda code that will generate RLS rules based on OU tags.
Will create a Athena table based on the CSV rules in S3, create QuickSight DataSource and QuikcSight DataSet


## Getting Started
## RLS Generator and RLS dataset management
Generate RLS csv file for QuickSight based on AWS Organizational Units.

Code can be executed locally or as Lambda. [AWS Credentials](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html) are managed standard way.
To run the lambda define following `ENV_VARS` with following DEFAULTS if ENV_VAR is not set.

[Using AWS Lambda environment variables](https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html)
[About QuickSight RLS](https://docs.aws.amazon.com/quicksight/latest/user/restrict-access-to-a-data-set-using-row-level-security.html)
[About AWS Organizational Unit ](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html)


List of Variables to preconfigure
```
OWNER_TAG = 'cid_users'
BUCKET_NAME = 'NO DEFAULT' # Bucket where to upload the code
QS_REGION = 'QS region'
export MANAGEMENT_ACCOUNT_IDS='coma seaprated value of account_ids, format ACC_ID:REGION'
export MANAGMENTROLENAME=WA-Lambda-Assume-Role-Management-Account # Role to Assume in every payer/management account
TMP_RLS_FILE = '/tmp/cid_rls.csv'
```
## Defining TAGS

1) Tags at root OU level, Give full access to all data and overwrite any other rules for user at other levels.
Expand All @@ -32,93 +19,15 @@ TMP_RLS_FILE = '/tmp/cid_rls.csv'


## Output

Output is writen to `TMP_RLS_FILE` location and uploaded to `BUCKET_NAME`.
Output is uploaded to `BUCKET_NAME`.


## Example Output


```
UserName,account_id,payer_id
[email protected],,
vmindru_has_it_all,,
Admin/vmindru-Isengard,,
cross_ou_user,"0140000000,7200000,74700000,853000000",
foo_inherit,74700000000,
student1,"853000000,126000000",
student2,"853678200000,126600000",
other@company_foo.com,"363700000,1675000000",
[email protected],"36370000000,16750000000",
[email protected],363000000000,
```



## Create Lambda

### Create a new Lambda in same region with your QS Dashboards

1) Create new Lambda
2) Select Python 3.8

### Configure Lambda

1) Create and assign new Execution Role LambdaS3Org Role
2) Create and Add 2 Permission Policies to above LambdaS3Org Role

`LambdaOrgS3ListTags`

```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"organizations:ListAccountsForParent",
"organizations:ListAccounts",
"organizations:ListTagsForResource",
"organizations:ListOrganizationalUnitsForParent"
],
"Resource": "*"
}
]
}
```

`AWSLambdaS3ExecutionRole`

```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::vmindru-cid-fr/cid_rls.csv"
}
]
}
UserName,GroupName,account_id,payer_id
user_with_wildcard_access,,,
user_with_acces_of_all_acounts_of_single_payer,,000111222333
cross_ou_user,,"0140000000,7200000,74700000,853000000",
,group1,"0140000000,7200000",
,group_accessa_all,,
```

### Add ENV Variables

Go to function settings and add ENV VARS

`BUCKET_NAME` - Bucket where to upload RLS file
`ROOT_OU` - ID of your root OU

### Increase execution time to 120s




Loading
Loading