Your external object storage must be configured to allow Analytics Database access.
When you configure external object storage, you set the credentials to your external object storage. Those credentials are used in SQL statements by Analytics Database. The supported credentials correspond to the values shown in the following table. These credentials are used for USER and PASSWORD by the CREATE AUTHORIZATION command and for ACCESS_ID and ACCESS_KEY by READ_NOS and WRITE_NOS.
| System/Scheme | USER/ACCESS_ID | PASSWORD/ACCESS_KEY |
|---|---|---|
| AWS | Access Key ID | Access Key Secret |
| Azure / Shared Key | Storage Account Name | Storage Account Key |
| Azure Shared Access Signature (SAS) | Storage Account Name | Account SAS Token |
| Google Cloud (S3 interop mode) | Access Key ID | Access Key Secret |
| Google Cloud (native) | Client Email | Private Key |
| On-premises object storage | Access Key ID | Access Key Secret |
| Public access object storage | empty_string Enclose the empty string in single straight quotation marks: USER '' |
empty_string Enclose the empty string in single straight quotation marks: PASSWORD '' |
The following are alternatives to using an access key or password to secure S3-compatible external object storage. These are included in an authorization object, which is created by the CREATE AUTHORIZATION command:
- Amazon Identity and Access Management (IAM)
- AWS Assume Role used to allow existing AWS IAM users and service accounts temporary access to AWS resources in other accounts.
The following are alternatives to using Azure Storage Name and Storage Account Key:
- Azure service principal used to assign restricted permissions to applications and services accessing Azure external object storage.
- Azure Key Vault used with a foreign table to access Azure blob storage. Use the Azure Key Vault clause to acquire an Azure Storage Account secret from an Azure Key Vault.
To see examples of supported credentials, see Variable Substitutions for Examples.