Using IAM Credentials with Amazon S3 Buckets - Analytics Database - Teradata Vantage

Teradata Vantage™ - Native Object Store Getting Started Guide - 17.20

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2024-04-05
dita:mapPath
tsq1628112323282.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
jjn1567647976698
Product Category
Teradata Vantage

IAM is an alternative to using an access key and password to secure S3 buckets. To allow Analytics Database access to S3 buckets that use IAM, your S3 bucket policy must be configured with the following Actions for the role that allows access to the bucket.

For READ_NOS:

  • S3:GetObject
  • S3:ListBucket
  • S3:GetBucketLocation

For WRITE_NOS:

  • S3:PutObject
Other Actions are also allowed, such as S3:HeadBucket, S3:HeadObject, S3:ListBucket, and so on.

The following shows an example security policy. You need your EC2 role name and EC2 instance account ID, which are provided to you by Teradata. Once you have those, add an inline policy to your Amazon S3 bucket to grant access to the Teradata EC2 instance.

For example, assuming ‘s3-cross-access-role’ denotes the name of the role, ‘142600571999’ denotes the Teradata EC2 instance account ID, and ‘bucketname’ denotes the name of your Amazon S3 bucket, an example of the policy to apply to your bucket is as follows:

{
   "Version": "2012-10-17",
      "Statement": [
         {
           "Sid": "s3acl",
           "Effect": "Allow",
           "Principal": {
              "AWS": "arn:aws:iam:: 142600571999:role/s3-cross-access-role"
            },
            "Action": [
               "s3:GetObject",
               "s3:ListBucket",
               "s3:GetBucketLocation",
               "s3:PutObject"
            ],
            "Resource": [
               "arn:aws:s3:::bucketname/*",
               "arn:aws:s3:::bucketname"
            ]
         }
     ]
}

Related Information

For more information about the security policy, see the Orange Book: Native Object Store: Teradata Vantage™ Advanced SQL Engine, TDN0009800.