IAM is an alternative to using an access key and password to secure S3 buckets. To allow Advanced SQL Engine access to S3 buckets that use IAM, your S3 bucket policy must be configured with the following Actions for the role that allows access to the bucket.
For READ_NOS:
- S3:GetObject
- S3:ListBucket
- S3:GetBucketLocation
For WRITE_NOS:
- S3:PutObject
The following shows an example security policy. You need your EC2 role name and EC2 instance account ID, which are provided to you by Teradata. Once you have those, add an inline policy to your Amazon S3 bucket to grant access to the Teradata EC2 instance.
For example, assuming ‘s3-cross-access-role’ denotes the name of the role, ‘142600571999’ denotes the Teradata EC2 instance account ID, and ‘bucketname’ denotes the name of your Amazon S3 bucket, an example of the policy to apply to your bucket is as follows:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "s3acl",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam:: 142600571999:role/s3-cross-access-role"
},
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bucketname/*",
"arn:aws:s3:::bucketname"
]
}
]
}
Related Information
For more information about the security policy, see the Orange Book: Native Object Store: Teradata Vantage™ Advanced SQL Engine, TDN0009800.