Follow this step in your AWS cloud environment:
- Teradata Vantage system must be integrated with Lake Formation as a trusted external engine. To achieve this, you need to define the string value for the LakeFormationAuthorizedCaller session tag designated for the third-party engine (Vantage). In this example, the string value used is vcl_tdotf. Additionally, you must provide the AWS account ID of the Vantage system, which specifies the source from which third-party engines are permitted to access locations registered with Lake Formation. In this case, the third-party engine is the Teradata OTF Engine.
See the article "Using Lake Formation application integration" on docs.aws.amazon.com.
- Using the IAM dashboard in the AWS console, create an AWS IAM Role.
For Vantage Cloud Lake, establish trust relationships with the Vantage Cloud Lake Tenant Primary Cluster//Compute Cluster IAM Roles as the principal.
Define Trust Relationship Policies:
- sts:AssumeRole: Enable Vantage Cloud Lake's Primary Cluster/Compute Cluster IAM roles to assume this customer role using an external ID.
- sts:TagSession: Permit Vantage Cloud Lake's Primary Cluster/Compute Cluster IAM roles to pass session tags with a specific tag key and value. The tag key should be aws:RequestTag/LakeFormationAuthorizedCaller, and the tag value should be the string designated for external engine integration with Lake Formation in step 1.
- sts:AssumeRole: Allow the lakeformation.amazonaws.com service to assume this customer role.
For Vantage Cloud Enterprise, establish trust relationships with the Vantage Cloud Enterprise system’s role name as the principal. For example, TDICAMSICRPVP01-IC-td-ecosystem-DBMppRole, where TDICAMSICRPVP01 is the site id.
Define Trust Relationship Policies:
- sts:AssumeRole: Enable Vantage Cloud Enterprise’s role name to assume this customer role using an external ID.
- sts:TagSession: Permit Vantage Cloud Enterprise role name to pass session tags with a specific tag key and value. The tag key should be aws:RequestTag/LakeFormationAuthorizedCaller, and the tag value should be the string designated for external engine integration with Lake Formation in step 1.
- sts:AssumeRole: Allow the lakeformation.amazonaws.com service to assume this customer role.
Here is an example of Trust relationships:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::xxxx04618xxx:role/tcedbbe9/tenants/01/tcedbbe9-01-pog20250205064011660200000888", "arn:aws:iam::xxxx04618xxx:role/tcedbbe9/tenants/01/tcedbbe9-01-pog20250205064011660200000999" ] }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "7b50f73c-8224-4143-86f0-9541a9938f34" } } }, { "Sid": "AllowPassSessionTags", "Effect": "Allow", "Principal": { "AWS": ["arn:aws:iam::xxxx04618xxx:role/tcedbbe9/tenants/01/tcedbbe9-01-pog20250205064011660200000888", "arn:aws:iam::xxxx04618xxx:role/tcedbbe9/tenants/01/tcedbbe9-01-cog20250205064011660200000999" ] }, "Action": "sts:TagSession", "Condition": { "StringLike": { "aws:RequestTag/LakeFormationAuthorizedCaller": "vcl_tdotf" } } }, { "Effect": "Allow", "Principal": { "Service": "lakeformation.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } - Add Glue and S3 permissions policy to customer’s IAM Role. This includes the list of allowed actions on customer’s Glue and S3 resources.
"Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:CreateDatabase", Add Lake Formation permissions policy to customer’s IAM role with GetDataAccess permission on Lake Formation. The customer establishes a fine-grained access policy in Lake Formation for their Glue Tables, linking the previously created IAM role to this policy. This ensures that the table access policy is applied to requests made using the assigned IAM role. The screenshots below illustrate an example of a Lake Formation access control policy. A data filter is configured for the Glue table cardata within the database regdb, specifying qualifying columns make and applying a row filter where make = 'Buick' . The customer IAM role finance_dept_role is associated with this data filter. "glue:CreateTable", "glue:DeleteDatabase", "glue:DeleteTable", "glue:UpdateTable", "glue:UpdateDatabase" ], "Resource": [ "arn:aws:glue:us-west-2:655835508443:catalog", "arn:aws:glue:us-west-2:655835508443:database/sctmpdb", "arn:aws:glue:us-west-2:655835508443:table/sctmpdb/mydata" ] }, { "Sid": "Statement1", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:ListBucket", "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::tdotf-cust", "arn:aws:s3:::tdotf-cust/*" ] } ] } - Add Lake Formation permissions policy to customer’s IAM role with GetDataAccess permission on Lake Formation.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "lakeformation:GetDataAccess" ], "Resource": "*" } ] } - The customer establishes a fine-grained access policy in Lake Formation for their Glue Tables, linking the previously created IAM role to this policy. This ensures that the table access policy is applied to requests made using the assigned IAM role.
The following is an example of a Lake Formation access control policy. A data filter is configured for the Glue table cardata within the database regdb, specifying qualifying columns make and applying a row filter where make = 'Buick'. The customer IAM role finance_dept_role is associated with this data filter.
This completes the setup on the customer’s AWS side. Next customer’s DBA has to logon to Vantage system and perform few more steps to enable the interoperability.