Accessing a bucket in a different AWS account under RAZ
In a Ranger Authorized (RAZ) environment, to access an S3 external bucket in a different AWS account from the CDW cluster, you must configure the bucket policy of the other account. You use the AWS Management Console to do this.
For information about bucket policies, see Adding a bucket policy by using the Amazon S3 console in the AWS documentation.
Add the ARN of the external bucket to the "Resource" array of values in the
JSON file for the
For example, the values in the Resource array give the CDW cluster access to external bucket MY_EXTERNAL_BUCKET.
Get the cluster ID from the Environments tile in the CDW service UI.
For example:You use this cluster ID later.
- In the AWS Console, navigate to , locate the bucket in the other AWS account you added, and then click the bucket name.
- In the bucket details page, click Permissions, and then click Bucket Policy.
In Bucket Policy, in the Bucket policy editor, add the
CDW cluster Id and the permissions you want the CDW service account to have to
This example policy includes the following specifications:
This first section includes the
Sid, which is an optional identifier indicating what the policy does. The
Effectspecifies that this policy is allowing the
Principalto do what is listed below in the
Principalis where you specify the ARN of the instance role for your CDW cluster account.
Actionsection specifies what actions the
- The Resource section specifies the S3 bucket you added that your CDW cluster will access.
- Navigate to AWS Management Console > CloudFormation and locate the stack corresponding to the cluster ID.
Click the CloudFormation stack name.
This stack name is the one in this format: <cluster-ID>-dwx-stack. For example, if the cluster ID is env-6cwwgg, the CloudFormation stack name for this cluster is env-6cwwgg-dwx-stack.
In CloudFormation stack details, in Resources, the NodeInstanceRole appears in the Logical ID column.
Click the hyperlink just to the right of it.
At the top of the Summary page, the Role ARN is listed.
- Specify the ARN for the Principal in the bucket policy.
- Click Save.