Cloudera Docs

Configuring cloud credentials using Knox Alias

Configure the Knox IDBroker role for S3 object stores using a Knox Alias. This process requires setting AWS IAM user credentials, configuring alternative STS endpoints for S3-compatible storage, and managing user or group mappings.

  1. Provide the AWS user access key and secret access key to the Knox IDBroker role.
    1. Go to Cloudera Manager > Clusters > Knox > Configuration.
    2. Search for the Save Alias Command Input - IDBroker property to set the AWS IAM user credentials access key alias.
    3. Enter aws-cab.aws.credentials.key=<AWS user Access key>, and click Save Changes.
    4. Click Actions and run the Save Alias - IDBroker command.
    5. Again, search for the Save Alias Command Input - IDBroker property to set the AWS IAM user credential secret access key alias.
    6. Enter aws-cab.aws.credentials.secret=<AWS user Secret access key>, and click Save Changes.
    7. Click Actions and run the Save Alias - IDBroker command.
    8. Set the Save Alias Command Input - IDBroker property to empty.
    9. Click Save Changes.
  2. If using an S3-compatible alternative to Amazon storage, configure the IDBroker topology to reference the alternative STS endpoint.
    1. Go to Cloudera Manager > Clusters > Knox > Configuration.
    2. Add the following configuration to the Knox IDBroker Advanced Configuration Snippet (Safety Valve) for conf/cdp-resources.xml advanced configuration snippet: 
      Name: aws-cab
Value: providerConfigRef=cab-providers# IDBROKER:cloud.policy.config.provider=default# IDBROKER:cloud.client.provider=AWS# IDBROKER:aws.region.name=us-east-1# IDBROKER:org.apache.knox.idbroker.endpoint.override=https://s3.myobjectore.com/#
    3. Click Save Changes.
  3. Provide user or group mapping administration.
    1. Set the Knox IDBroker AWS User Mapping configuration property to the following value: 
      rangerraz=arn:aws:iam::<ARN>:role/S3RazRole
    2. Click Save Changes.