Cloudera Docs

Accessing buckets in a different AWS account under RAZ

In a Ranger Authorized (RAZ) environment, to access an S3 external bucket in a different AWS account from the Cloudera Data Warehouse cluster, you must configure the bucket policy of the other account. You use the AWS Management Console to do this.

For information about bucket policies, see Adding a bucket policy by using the Amazon S3 console in the AWS documentation.

You must meet the prerequisites mentioned in the topic above.
  1. Add the ARN of the external bucket to the "Resource" array of values in the JSON file for the aws-cdp-datalake-admin-s3-policy.
    For example, the values in the Resource array give the Cloudera Data Warehouse cluster access to external bucket MY_EXTERNAL_BUCKET.
  2. Get the cluster ID from the Environments tile in the Cloudera Data Warehouse service UI.
    For example:
    You use this cluster ID later.
  3. In the AWS Console, navigate to AWS Management Console > S3, locate the bucket in the other AWS account you added, and then click the bucket name.
  4. In the bucket details page, click Permissions, and then click Bucket Policy.
  5. In Bucket Policy, in the Bucket policy editor, add the Cloudera Data Warehouse cluster Id and the permissions you want the Cloudera Data Warehouse service account to have to this bucket.

    This example policy includes the following specifications:

    • This first section includes the Sid, which is an optional identifier indicating what the policy does. The Effect specifies that this policy is allowing the Principal to do what is listed below in the Action section. The Principal is where you specify the ARN of the instance role for your Cloudera Data Warehouse cluster account.

    • The Action section specifies what actions the Principal can perform.
    • The Resource section specifies the S3 bucket you added that your Cloudera Data Warehouse cluster will access.
  6. Navigate to AWS Management Console > CloudFormation and locate the stack corresponding to the cluster ID.
  7. Click the CloudFormation stack name. This stack name is the one in this format: <cluster-ID>-dwx-stack. For example, if the cluster ID is env-6cwwgg, the CloudFormation stack name for this cluster is env-6cwwgg-dwx-stack.
    In CloudFormation stack details, in Resources, the NodeInstanceRole appears in the Logical ID column.
  8. Click the hyperlink just to the right of it.
    At the top of the Summary page, the Role ARN is listed.
  9. Specify the ARN for the Principal in the bucket policy.
  10. Click Save.