Set Up Cross-Account S3 Access | Teradata Vantage on AWS - 2.0 - Managing Your S3 Storage Access to Use the NOS Connector with Vantage on AWS - Teradata Vantage on AWS

Teradata Vantageā„¢ on AWS Getting Started Guide

prodname
Teradata Vantage on AWS
vrm_release
2.0
created_date
June 2020
category
Configuration
Implementation
Installation
featnum
B700-4015-060K
If you will use NOS to access Amazon S3 storage from your Vantage on AWS deployment, you must first work with Teradata to grant cross-account access to the target objects.
Using policies at the bucket level, you can define
  • Who can access (Principal element)
  • Which objects they can access (Resource element)
  • How they can access (Action element)

Use multiple policies to define granular access to different objects in the bucket. You can also review the bucket policy to see who can access objects. See https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/.

  1. Create an S3 bucket in your AWS account and provide the name to Teradata.
    For more granular control, also provide names of any folders within the bucket where access will be granted.
  2. Teradata creates an IAM role or user in your Vantage on AWS deployment (in the Teradata-owned AWS account).
  3. Teradata grants the necessary permissions to the IAM role or user, specifying your provided bucket and folder names.
  4. Configure the bucket policy for your S3 bucket to grant permissions to the Teradata IAM role or user that was created, specifying the same S3 bucket and folder names that you provided to Teradata.
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "AllowTeradataNOSAccessToSpecifiedS3Buckets",
    	    "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::TeradataAWSAccountID:user/TeradataIAMUsername"
                },
                "Action": [
    		"s3:ListBucket",
    		"s3:GetBucketLocation",
    		"s3:PutObject",
      		"s3:GetObject"
                ],
                "Resource": [
    		"arn:aws:s3:::S3BucketName/*",
    		"arn:aws:s3:::S3BucketName/S3FolderName/*"
                ]
            }
        ]
    }