Accessing buckets in a different AWS account under RAZ
In a Ranger Authorized (RAZ) environment, to access an S3 external bucket in a
different AWS account from the CDW cluster, you must configure the bucket policy of the
other account. You use the AWS Management Console to do this.
You must meet the prerequisites mentioned in the topic
above.
Add the ARN of the external bucket to the "Resource" array of values in the
JSON file for the
aws-cdp-datalake-admin-s3-policy.
For example, the values in the Resource array give the CDW cluster access to
external bucket MY_EXTERNAL_BUCKET.
Get the cluster ID from the Environments tile in the CDW service UI.
For example:
You use this cluster ID later.
In the AWS Console, navigate to AWS Management Console > S3, locate the bucket in the other AWS account you added, and then click the bucket name.
In the bucket details page, click Permissions, and then click Bucket Policy.
In Bucket Policy, in the Bucket policy editor, add the
CDW cluster Id and the permissions you want the CDW service account to have to
this bucket.
This example policy includes the following specifications:
This first section includes the Sid, which is an
optional identifier indicating what the policy does. The
Effect specifies that this policy is allowing
the Principal to do what is listed below in the
Action section. The Principal
is where you specify the ARN of the instance role for your CDW
cluster account.
The Action section specifies what actions the
Principal can perform.
The Resource section specifies the S3 bucket you added that your CDW
cluster will access.
Navigate to AWS Management Console > CloudFormation and locate the stack
corresponding to the cluster ID.
Click the CloudFormation stack name.
This stack name is the one in this format: <cluster-ID>-dwx-stack. For example, if the cluster ID is env-6cwwgg, the CloudFormation stack name for this cluster is env-6cwwgg-dwx-stack.
In CloudFormation stack details, in Resources, the NodeInstanceRole appears in
the Logical ID column.
Click the hyperlink just to the right of it.
At the top of the Summary page, the Role ARN is listed.
Specify the ARN for the Principal in the bucket policy.