To access Amazon S3 storage from your Vantage on AWS deployment using NOS, you must first work with Teradata to grant cross-account access to the target objects.
Using policies at the bucket level, you can define the following permissions:
- Who can access (Principal element)
- Which objects they can access (Resource element)
- How they can access (Action element)
Use multiple policies to define granular access to different objects in the bucket. You can also review the bucket policy to see who can access objects. See https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/.
-
Create an S3 bucket in your AWS account and provide the name to Teradata.
For more granular control, also provide names of any folders within the bucket to grant access.
-
Once Teradata creates the IAM user or role with the necessary permissions, configure the bucket policy for the S3 bucket and grant permissions to the Teradata IAM user or role.
Use the same S3 bucket and folder names provided to Teradata.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowTeradataNOSAccessToSpecifiedS3Buckets", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::TeradataAWSAccountID:user/TeradataIAMUsername" }, "Action": [ "s3:ListBucket", "s3:GetBucketLocation", "s3:PutObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::S3BucketName/*", "arn:aws:s3:::S3BucketName/S3FolderName/*" ] } ] }