CREATE AUTHORIZATION and REPLACE AUTHORIZATION Syntax Elements - Teradata Vantage

CREATE AUTHORIZATION and REPLACE AUTHORIZATION Syntax Elements - Teradata Vantage - Analytics Database

SQL Data Definition Language Syntax and Examples

Deployment

VantageCloud

VantageCore

Edition

VMware

Enterprise

IntelliFlex

Product

Analytics Database

Teradata Vantage

Release Number

17.20

Published

June 2022

ft:locale

en-US

ft:lastEdition

2025-11-06

dita:mapPath

jco1628111346878.ditamap

dita:ditavalPath

qkf1628213546010.ditaval

dita:id

mdr1472255012272

lifecycle

latest

Product Category

Teradata Vantage™

database_name

user_name

[Optional] Name of a database or user other than the current or default in which the authorization being defined or replaced is to reside.

authorization_name

Name for the authorization, to specify in an external routine definition or function mapping.

This name must conform to object naming rules, which are in Teradata Vantage™ - SQL Fundamentals, B035-1141.

For information about using authorization objects with the Script Table Operator, see Teradata Vantage™ - SQL Operators and User-Defined Functions, B035-1210.

DEFINER

Specify DEFINER to share an authorization object with multiple users of the database in which it resides. You can create the authorization in any database.

INVOKER

[Default] Specify INVOKER to allow exclusive access by a user. You must create the authorization in the database of the current user.

TRUSTED

[Optional] Creates the associated authorization object as TRUSTED.

You must use the TRUSTED security type for the authorization you specify in the EXTERNAL SECURITY clause when creating foreign tables or function mappings. See CREATE FOREIGN TABLE or CREATE FUNCTION MAPPING and REPLACE FUNCTION MAPPING.

USER

Name of the database user to whom this authorization is being assigned.

Public buckets (or public containers) in external object stores (such as Amazon S3, Azure Blob storage, or Google Cloud Storage) do not require credentials for access. If you are creating an authorization for a public bucket, user_name is an empty string delimited by single quotes: ''

PASSWORD

Name of the operating system platform password assigned to user_name.

For AWS, AZURE, and Google Cloud, password can have at most 4096 bytes.

The system uses the password to authenticate the user when creating the secure server process. Teradata recommends that any session that uses the CREATE AUTHORIZATION or REPLACE AUTHORIZATION statement be set up to use the encrypted transport protocol. See Teradata Vantage™ - Analytics Database Security Administration, B035-1100.

If you are creating an authorization for a public bucket, password is an empty string delimited by single quotes: ''

Teradata recommends entering your password through an application that requests it in a secure manner, such as a GUI or World Wide Web interface that displays each password character as an asterisk (*) as it is typed.

System/Scheme	USER/ACCESS_ID	PASSWORD/ACCESS_KEY
AWS	Access Key ID	Access Key Secret
Azure / Shared Key	Storage Account Name	Storage Account Key
Azure Shared Access Signature (SAS)	Storage Account Name	Account SAS Token
Google Cloud (S3 interop mode)	Access Key ID	Access Key Secret
Google Cloud (native)	Client Email	Private Key
On-premises object storage	Access Key ID	Access Key Secret
Public access object storage	empty_string Enclose the empty string in single straight quotation marks: USER ''	empty_string Enclose the empty string in single straight quotation marks: PASSWORD ''

The following are alternatives to using an access key or password to secure S3-compatible external object storage. These are included in an authorization object, which is created by the CREATE AUTHORIZATION command:

Amazon Identity and Access Management (IAM)
AWS Assume Role used to allow existing AWS IAM users and service accounts temporary access to AWS resources in other accounts. See Assume Role Authorization.

SESSION_TOKEN session_token_value

If your S3 user account requires the use of physical or virtual security, you can use a session token with Access_ID and Access_KEY in this syntax:

AUTHORIZATION = '{"Access_ID":"access_id", "Access_Key":"secret_key",
"Session_Token":"session_token" }'

You must first get a session token using the AWS CLI.

AUTHSERVICETYPE

Authorization for the storage service. For AUTHSERVICETYPE values, see "AuthorizationsV[X] in Teradata Vantage™ - Data Dictionary, B035-1092.

ROLENAME 'resource_name'

Amazon Resource Name (ARN) of the role to assume. Applicable only for ASSUME_ROLE.

EXTERNALID 'external_id'

External identification that assumes the role. Applicable only for ASSUME_ROLE.

DURATION_SECONDS 'duration_seconds_value'

[Optional] Specify the duration of the AUTHSERVICETYPE 'ASSUME_ROLE' and supports only numeric values. The range is from 900-43200 seconds.

If you specify a value higher than value set in the AWS role session, the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails.

If you specify a value with characters other than numbers, the operation fails.

Default: 3600 seconds (when omitted).

Amazon Identity and Access Management (IAM) is an alternative to using an access key and password to secure S3 buckets.