CREATE AUTHORIZATION and REPLACE AUTHORIZATION Syntax Elements - Teradata Vantage

Teradata® VantageCloud Lake
Deployment
VantageCloud
Edition
Lake
Product
Teradata Vantage
Published
January 2023
ft:locale
en-US
ft:lastEdition
2024-12-11
dita:mapPath
phg1621910019905.ditamap
dita:ditavalPath
pny1626732985837.ditaval
dita:id
phg1621910019905
Unless otherwise noted, every syntax element that is a name must follow the rules for naming database objects. See Object Names.
database_name
user_name
[Optional] Name of a database or user in which the authorization being defined or replaced is to reside.
Default: Current or default database or user
authorization_name
Name for the authorization, to specify in an external routine definition or function mapping.
For information about using authorization objects with the Script Table Operator, see APPLY.
DEFINER
[Optional] Specify DEFINER to share an authorization object with multiple users of the database in which it resides.
You can create the authorization in any database.
If you specify DEFINER, database_name or user_name must be the containing database or user for the external routine.
If neither INVOKER or DEFINER is specified, the authorization is system-wide.
If the authorization object is system-wide, the user must have EXECUTE privilege to use it.
Default: INVOKER
DEFAULT
[Optional] Modifier for DEFINER that associates this authorization with all external routines that do not specify the authorization name in the EXTERNAL SECURITY DEFINER clause of the following statements:
You can assign only one default DEFINER object per database. All other DEFINER objects must have specific definer names.
If a default DEFINER already exists for the current or specified database, the system returns an error to the requestor.
INVOKER
[Optional] Specify INVOKER to allow exclusive access by a user (this is the default).
You must create the authorization in the database of the current user.
If neither INVOKER or DEFINER is specified, the authorization is system-wide.
If the authorization object is system-wide, the user must have EXECUTE privilege to use it.
TRUSTED
[Optional] Creates the associated authorization object as TRUSTED.
You must use the TRUSTED security type for the authorization you specify in the EXTERNAL SECURITY clause when creating foreign tables or function mappings. See CREATE FOREIGN TABLE or CREATE FUNCTION MAPPING and REPLACE FUNCTION MAPPING.
USER user_name
Name of the database user to whom this authorization is being assigned.
Public buckets (or public containers) in external object stores (such as Amazon S3, Azure Blob Storage, or Google Cloud Storage) do not require credentials for access. If you are creating an authorization for a public bucket, user_name is an empty string delimited by single quotes: ''
PASSWORD password
Name of the operating system platform password assigned to user_name.
For Azure Key Vault, password can have at most 512 bytes. For AWS, AZURE, and Google Cloud, password can have at most 4096 bytes.
The system uses the password to authenticate the user when creating the secure server process. Teradata recommends that any session that uses the CREATE AUTHORIZATION or REPLACE AUTHORIZATION statement be set up to use the encrypted transport protocol.
If you are creating an authorization for a public bucket, password is an empty string delimited by single quotes: ''
Teradata recommends entering your password through an application that requests passwords in a secure manner, such as a GUI or World Wide Web interface that displays each password character as an asterisk (*) as you type the password.
System/Scheme USER/ACCESS_ID PASSWORD/ACCESS_KEY
AWS Access Key ID Access Key Secret
Azure / Shared Key Storage Account Name Storage Account Key
Azure Shared Access Signature (SAS) Storage Account Name Account SAS Token
Google Cloud (S3 interop mode) Access Key ID Access Key Secret
Google Cloud (native) Client Email Private Key
On-premises object storage Access Key ID Access Key Secret
Public access object storage empty_string

Enclose the empty string in single straight quotation marks: USER ''

 empty_string

Enclose the empty string in single straight quotation marks: PASSWORD ''
The following are alternatives to using an access key or password to secure S3-compatible external object storage. These are included in an authorization object, which is created by the CREATE AUTHORIZATION command:
  • Amazon Identity and Access Management (IAM)
  • AWS Assume Role used to allow existing AWS IAM users and service accounts temporary access to AWS resources in other accounts.
The following are alternatives to using Azure Storage Name and Storage Account Key:
  • Azure service principal used to assign restricted permissions to applications and services accessing Azure external object storage.
  • Azure Key Vault used with a foreign table to access Azure blob storage. Use the Azure Key Vault clause to acquire an Azure Storage Account secret from an Azure Key Vault.
SESSION_TOKEN session_token_value
If your S3 user account requires the use of physical or virtual security, you can use a session token with Access_ID and Access_KEY in this syntax:
AUTHORIZATION = '{"Access_ID":"access_id", "Access_Key":"secret_key",
"Session_Token":"session_token" }'
You must first get a session token using the AWS CLI.
AUTHSERVICETYPE
Authorization for the storage service. For example, ASSUME_ROLE, AZURE_SERVICE_PRINCIPAL, and so on. For AUTHSERVICETYPE values, see AuthorizationsV[X] .
ROLENAME 'resource_name'
Amazon Resource Name (ARN) of the role to assume. Applicable only for ASSUME_ROLE.
EXTERNALID 'external_id'
External identification that assumes the role. Applicable only for ASSUME_ROLE.
DURATION_SECONDS 'duration_seconds_value'
[Optional] Specify the duration of the AUTHSERVICETYPE 'ASSUME_ROLE' and supports only numeric values. The range is from 900-43200 seconds.
If you specify a value higher than value set in the AWS role session, the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails.
If you specify a value with characters other than numbers, the operation fails.
Default: 3600 seconds (when ommited).
CLIENT_ID 'client_id'
Application identification for the Azure service principal.
CLIENT_SECRET 'client_secret'
Password associated with the Azure service principal.
TENANT_ID 'tenant_id'
Identifier of Microsoft Entra ID instance. For example:

391c8c4c-6a2a-40fd-ab98-226b6baa5155

KEYID 'key_id'
Authorization key identification. Set to the storage account name.
KEYVAULTNAME 'key_vault_name'
Name of the Azure key vault. The key vault allows access to Azure external object storage through public IP addresses.
APPID 'app_id'
Application identification.
APPSECRET 'app_secret_password'
Application password.