17.10 - Using IAM Credentials with Amazon S3 Buckets - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Native Object Store Getting Started Guide

Advanced SQL Engine
Teradata Database
Release Number
July 2021
Last Update
Content Type
Programming Reference
Publication ID
English (United States)
Last Update

IAM is an alternative to using an access key and password to secure S3 buckets. To allow Advanced SQL Engine access to S3 buckets that use IAM, your S3 bucket policy must be configured with the following Actions for the role that allows access to the bucket.


  • S3:GetObject
  • S3:ListBucket
  • S3:GetBucketLocation


  • S3:PutObject
Other Actions are also allowed, such as S3:HeadBucket, S3:HeadObject, S3:ListBucket, and so on.

The following shows an example security policy. You need your EC2 role name and EC2 instance account ID, which are provided to you by Teradata. Once you have those, add an inline policy to your Amazon S3 bucket to grant access to the Teradata EC2 instance.

For example, assuming ‘s3-cross-access-role’ denotes the name of the role, ‘142600571999’ denotes the Teradata EC2 instance account ID, and ‘bucketname’ denotes the name of your Amazon S3 bucket, an example of the policy to apply to your bucket is as follows:

   "Version": "2012-10-17",
      "Statement": [
           "Sid": "s3acl",
           "Effect": "Allow",
           "Principal": {
              "AWS": "arn:aws:iam:: 142600571999:role/s3-cross-access-role"
            "Action": [
            "Resource": [

Related Information

For more information about the security policy, see the Orange Book: Native Object Store: Teradata Vantage™ Advanced SQL Engine, TDN0009800.