Accessing buckets in a different AWS account under a managed policy

You might need to know how to add read/write access to S3 buckets under AWS accounts that are different from the Cloudera Data Warehouse cluster account.

To enable Cloudera Data Warehouse service cluster access to a bucket you add to S3 under a different AWS account, you must configure the bucket in the different account to access the Cloudera Data Warehouse cluster account. Then, you can configure the Cloudera Data Warehouse service account to access the bucket you added. You perform both of these tasks in the AWS Management Console.

Required role: DWAdmin

To configure access to external S3 buckets for your Cloudera Data Warehouse cluster, you must edit the managed policy attached to the AWS instance profile.

You use this cluster ID in Step 5 below.

In the AWS Console, navigate to AWS Management Console > S3, locate the bucket in the other AWS account you added, and then click the bucket name.
In the bucket details page, click the Permissions tab, and then click the Bucket Policy sub-tab.
In the Bucket Policy sub-tab page, in the Bucket policy editor, add the Cloudera Data Warehouse cluster Id and what permissions you want the Cloudera Data Warehouse service account to have for this bucket:
This example policy includes the following specifications:
- tip
  To get the ARN of your Cloudera Data Warehouse cluster account: In the AWS Console, navigate to CloudFormation and locate the stack for your Cloudera Data Warehouse cluster. Click the stack name. In the stack details page, click the Resources tab. In the Resources table, scroll down to the NodeInstanceRole, and then click the hyperlink just to the right of it. At the top of the Summary page, the Role ARN is listed. This is the ARN you must specify for the Principal in the bucket policy.
- The Action section specifies what actions the Principal can perform.
- The Resource section specifies the S3 bucket you added and want your Cloudera Data Warehouse cluster to be able to access.
For details about bucket policies, see Managing Access to Amazon S3 Buckets Using Bucket Policies in the AWS documentation.
Click Save.
Note the managed policy ARN attached to the Node Instance Role, used while activating the cluster.
Open the managed policy JSON file, for example noderole-inline-policy.json for editing
Locate the sid "putgetmybucketpaths" for editing.
Append resources to the resource section for the buckets you added.
For example, if you want to add access to the more-sales-data bucket, you append resources to the end of the "resource" section, as shown in the last two resource names:
```
"Resource":[
            ...
            "arn:aws:s3:::roohi-dl-bucket/backup/*",
            "arn:aws:s3:::more-sales-data",
            "arn:aws:s3:::more-sales-data/*"
            ],
```
important
There is no comma after the last line of the "Resource" section.
Click Review policy in the lower right corner of the page, and then click Save changes. You can access the new bucket from your Cloudera Data Warehouse service cluster now. For example, you can create external Hive tables that point to the bucket.