Accessing buckets in a different AWS account under RAZ
In a Ranger Authorized (RAZ) environment, to access an S3 external bucket in a
different AWS account from the Cloudera Data Warehouse cluster, you must
configure the bucket policy of the other account. You use the AWS Management Console to do
this.
You must meet the prerequisites mentioned in the topic
above.
Add the ARN of the external bucket to the "Resource" array of values in the
JSON file for the
aws-cdp-datalake-admin-s3-policy.
For example, the values in the Resource array give the Cloudera Data Warehouse cluster access to external bucket MY_EXTERNAL_BUCKET.
Get the cluster ID from the Environments tile in the Cloudera Data Warehouse service UI.
For example:
You use this cluster ID later.
In the AWS Console, navigate to AWS Management Console > S3, locate the bucket in the other AWS account you added, and then click the bucket name.
In the bucket details page, click Permissions, and then click Bucket Policy.
In Bucket Policy, in the Bucket policy editor, add the
Cloudera Data Warehouse cluster Id and the permissions you want
the Cloudera Data Warehouse service account to have to this
bucket.
This example policy includes the following specifications:
This first section includes the Sid, which is an
optional identifier indicating what the policy does. The
Effect specifies that this policy is allowing
the Principal to do what is listed below in the
Action section. The Principal
is where you specify the ARN of the instance role for your Cloudera Data Warehouse cluster account.
The Action section specifies what actions the
Principal can perform.
The Resource section specifies the S3 bucket you added that your Cloudera Data Warehouse cluster will access.
Navigate to AWS Management Console > CloudFormation and locate the stack
corresponding to the cluster ID.
Click the CloudFormation stack name.
This stack name is the one in this format: <cluster-ID>-dwx-stack. For example, if the cluster ID is env-6cwwgg, the CloudFormation stack name for this cluster is env-6cwwgg-dwx-stack.
In CloudFormation stack details, in Resources, the NodeInstanceRole appears in
the Logical ID column.
Click the hyperlink just to the right of it.
At the top of the Summary page, the Role ARN is listed.
Specify the ARN for the Principal in the bucket policy.