Before creating the authorization object Advanced SQL Engine must have permission from the external object store to access the data. For example, to access an Amazon S3 bucket an Access Key or an AWS Identity and Access Management (IAM) user credential is required. To access a GCS bucket an Access Key is required. To access Azure storage an Access Key or Shared Access Signature (SAS) token is needed. The credentials are configured on the object store that you want to access.
Once your external storage allows Advanced SQL Engine to access it, set up an authorization object using the appropriate credentials.
An authorization object can be shared among several people if Definer is used in the authorization object definition. If Invoker is used, only the user who created the object can use it.
Description | Example |
---|---|
Authorization object used by one user |
CREATE AUTHORIZATION authorization_object AS INVOKER TRUSTED USER 'YOUR-ACCESS-KEY-ID' PASSWORD 'YOUR-SECRET-ACCESS-KEY'; |
Authorization object shared by a group of users |
CREATE AUTHORIZATION authorization_object AS DEFINER TRUSTED USER 'YOUR-ACCESS-KEY-ID' PASSWORD 'YOUR-SECRET-ACCESS-KEY'; |
CREATE AUTHORIZATION authorization_object
AS DEFINER TRUSTED
USER ''
PASSWORD '';
- If not already done, log on to Advanced SQL Engine as an administrative user who can grant others privileges.
-
Grant the appropriate privileges to the user.
To create an authorization object, the user needs the following privileges:
- CREATE AUTHORIZATION
- Log off as the administrative user.
- To run NOS-related commands, log on to the database as a user with the required privileges.
-
Create an authorization object in Advanced SQL Engine with the credentials to your external object store.
Create the authorization object in the same database as the foreign table that will use it.
CREATE AUTHORIZATION DefAuth AS DEFINER TRUSTED USER 'YOUR-ACCESS-KEY-ID' PASSWORD 'YOUR-SECRET-ACCESS-KEY';
Prerequisites
Create the Authorization Object