Setting Up Assume Role on AWS

Setting Up Assume Role on AWS - Teradata Vantage

Teradata® VantageCloud Lake

Deployment

VantageCloud

Edition

Lake

Product

Teradata Vantage

Published

January 2023

Language

English (United States)

Last Update

2024-04-03

dita:mapPath

phg1621910019905.ditamap

dita:ditavalPath

pny1626732985837.ditaval

dita:id

phg1621910019905

This procedure contains steps to be completed outside of Teradata and those steps may change at any time. Refer to the other vendor's documentation as needed.

See: https://docs.aws.amazon.com/awsconsolehelpdocs/_url_xref

The following assumes there are two AWS accounts: one for a Teradata user and the other is the customer AWS account where the external object storage is located.

Create an IAM Policy

Log on to the AWS Management Console. Search for IAM in the search bar and select it.
Enable Security Token Service (STS) endpoints.
1. In Access Management, select Account Settings.
2. Activate your desired region and endpoint by changing the STS Status.
Create a policy. Select Policies > Create Policy.
Choose S3 in Select a Service.
1. In Actions allowed add permissions to the policy that allows Teradata the desired access to your S3 external object storage.
2. Add the Amazon Resource Name (ARN) of the bucket that Teradata is allowed to access. This restricts the actions to only the buckets specified.

Select Next. Set the Policy name.

The following example policy allows several actions on connector-sts-bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:AbortMultipartUpload",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketAcl",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicy",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": "arn:aws:s3:::connector-sts-bucket"
        }
    ]
}

Select Create Policy.

Create an IAM Role

In Access Management, select Roles.
Create role.
The purpose of this role is to grant the Teradata account access to the particular AWS external object storage.
For Trusted entity type select AWS account. Then select Another AWS account.
1. In Account ID, provide the Teradata account ID to be the identifier of the account that can use this role.
In Options, select Require external ID.
Entering an external ID increases security and prevents "confused deputy" attacks.
1. Enter your Vantage Site ID, which can be obtained from your Teradata account team.
Select Next.
Search for the IAM policy you created and select it.
Select Next.
Name the role and Create role.
Take note of the ARN value. The ARN is used when you create an authorization object in Analytics Database. See Setting Up Assume Role on Analytics Database.
The following is an example of an IAM role trust relationship. It shows the account number (915556001112) that Teradata has the trust relationship with and the external ID (a sample value of 1234 is shown):
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::915556001112:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "1234"
                }
            }
        }
    ]
}
```