Setting Up Assume Role on AWS - Teradata Vantage

Teradata® VantageCloud Lake
Deployment
VantageCloud
Edition
Lake
Product
Teradata Vantage
Published
January 2023
ft:locale
en-US
ft:lastEdition
2024-12-11
dita:mapPath
phg1621910019905.ditamap
dita:ditavalPath
pny1626732985837.ditaval
dita:id
phg1621910019905
This procedure contains steps to be completed outside of Teradata and those steps may change at any time. Refer to the other vendor's documentation as needed.

See: https://docs.aws.amazon.com/awsconsolehelpdocs/

The following assumes there are two AWS accounts: one for a Teradata user and the other is the customer AWS account where the external object storage is located.

    Create an IAM Policy

  1. Log on to the AWS Management Console. Search for IAM in the search bar and select it.
  2. Enable Security Token Service (STS) endpoints.
    1. In Access Management, select Account Settings.
    2. Activate your desired region and endpoint by changing the STS Status.
  3. Create a policy. Select Policies > Create Policy.
  4. Choose S3 in Select a Service.
    1. In Actions allowed add permissions to the policy that allows Teradata the desired access to your S3 external object storage.
    2. Add the Amazon Resource Name (ARN) of the bucket that Teradata is allowed to access. This restricts the actions to only the buckets specified.
  5. Select Next. Set the Policy name.

    The following example policy allows several actions on connector-sts-bucket:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObjectAcl",
                "s3:GetObject",
                "s3:AbortMultipartUpload",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketAcl",
                "s3:GetBucketLocation",
                "s3:GetBucketPolicy",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
              "arn:aws:s3:::connector-sts-bucket",
              "arn:aws:s3:::connector-sts-bucket/*"
            ]
        }
    ]
}
  6. Select Create Policy.

    7. Create an IAM Role

  7. In Access Management, select Roles.
  8. Create role.
    The purpose of this role is to grant the Teradata account access to the particular AWS external object storage.
  9. For Trusted entity type select AWS account. Then select Another AWS account.
    1. In Account ID, provide the Teradata account ID to be the identifier of the account that can use this role.
  10. In Options, select Require external ID.
    Entering an external ID increases security and prevents "confused deputy" attacks.
    1. Enter your Vantage Site ID, which can be obtained from your Teradata account team.
  11. Select Next.
  12. Search for the IAM policy you created and select it.
  13. Select Next.
  14. Name the role and Create role.
    Take note of the ARN value. The ARN is used when you create an authorization object in Analytics Database. See Setting Up Assume Role on Analytics Database.
    The following is an example of an IAM role trust relationship. It shows the account number (915556001112) that Teradata has the trust relationship with and the external ID (a sample value of 1234 is shown):
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::915556001112:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "1234"
                }
            }
        }
    ]
}