Restrict Access to External Storage | Native Object Store | Teradata Vantage - 17.10 - Controlling Foreign Table Access with an AUTHORIZATION Object - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Native Object Store Getting Started Guide

Advanced SQL Engine
Teradata Database
Release Number
July 2021
Last Update
Content Type
Programming Reference
Publication ID
English (United States)
Last Update
An authorization object is used to control who can access an external object store.

Before creating the authorization object Advanced SQL Engine must have permission from the external object store to access the data. The credentials are configured on the object store that you want to access. For example, to access an Amazon S3 bucket an Access Key ID or an AWS Identity and Access Management (IAM) user credential is required, depending on your external object store. See Authentication for External Object Stores for required credentials for the external object stores.

Once your external storage allows Advanced SQL Engine to access it, set up an authorization object with the credentials for your external object store.

Public buckets or containers in external object stores do not require credentials for access. To access a public bucket or container, put an empty string between the straight quotes for USER and PASSWORD.


  1. If not already done, log on to Advanced SQL Engine as an administrative user who can grant others privileges.
  2. Grant the appropriate privileges to the user.
    To create an authorization object, the user needs the following privileges:
  3. Log off as the administrative user.
  4. Create the Authorization Object

  5. To run NOS-related commands, log on to the database as a user with the required privileges.
  6. Create an authorization object in Advanced SQL Engine with the credentials to your external object store.
    Create the authorization object in the same database as the foreign table that uses it.
    CREATE AUTHORIZATION authorization_object

    See Variable Substitutions for Examples.

    For example, the Teradata-supplied public object store has an empty string for USER and PASSWORD. To create an authorization object for the public object store, run:

    USER ''
    PASSWORD '';
  7. View the definition of the authorization object. For example:

    Note, the password is not returned in the result.

PostrequisiteIn later examples, the authorization object is linked to a foreign table and in other examples used in READ_NOS statements.