17.10 - Using IAM Credentials with Amazon S3 Buckets - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Native Object Store Getting Started Guide

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Programming Reference
Publication ID
B035-1214-171K
Language
English (United States)

IAM is an alternative to using an access key and password to secure S3 buckets. To allow Advanced SQL Engine access to S3 buckets that use IAM, your S3 bucket policy must be configured with the following Actions for the role that allows access to the bucket.

For READ_NOS:

  • S3:GetObject
  • S3:ListBucket
  • S3:GetBucketLocation

For WRITE_NOS:

  • S3:PutObject
Other Actions are also allowed, such as S3:HeadBucket, S3:HeadObject, S3:ListBucket, and so on.

The following shows an example security policy. You need your EC2 role name and EC2 instance account ID, which are provided to you by Teradata. Once you have those, add an inline policy to your Amazon S3 bucket to grant access to the Teradata EC2 instance.

For example, assuming ‘s3-cross-access-role’ denotes the name of the role, ‘142600571999’ denotes the Teradata EC2 instance account ID, and ‘bucketname’ denotes the name of your Amazon S3 bucket, an example of the policy to apply to your bucket is as follows:

{
   "Version": "2012-10-17",
      "Statement": [
         {
           "Sid": "s3acl",
           "Effect": "Allow",
           "Principal": {
              "AWS": "arn:aws:iam:: 142600571999:role/s3-cross-access-role"
            },
            "Action": [
               "s3:GetObject",
               "s3:ListBucket",
               "s3:GetBucketLocation",
               "s3:PutObject"
            ],
            "Resource": [
               "arn:aws:s3:::bucketname/*",
               "arn:aws:s3:::bucketname"
            ]
         }
     ]
}

Related Information

For more information about the security policy, see the Orange Book: Native Object Store: Teradata Vantage™ Advanced SQL Engine, TDN0009800.