Skip to content

Commit

Permalink
Update secure-s3.md
Browse files Browse the repository at this point in the history
Update secure s3 documentation with manual creation steps for Secure S3 access IAM role.
  • Loading branch information
santrancisco authored Oct 20, 2023
1 parent 6c0d30a commit 56bdf52
Showing 1 changed file with 62 additions and 3 deletions.
65 changes: 62 additions & 3 deletions docs/en/cloud/security/secure-s3.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,9 @@ This approach allows customers to manage all access to their S3 buckets in a sin

![s3info](@site/docs/en/cloud/security/images/secures3_arn.jpg)

### Setting up Cloudformation stack
### Setting up IAM assume role

#### Option 1: Deploying with Cloudformation stack

1 - Login to your AWS Account in the web browser with an IAM user that has permission to create & manage IAM role.

Expand All @@ -48,7 +50,7 @@ This approach allows customers to manage all access to their S3 buckets in a sin
| Bucket Access | Read | Sets the level of access for the provided buckets. |
| Bucket Names | | Comma separated list of **bucket names** that this role will have access to. |

*Note*: do not put the full bucket Arn but instead just the bucket name only.
*Note*: Do not put the full bucket Arn but instead just the bucket name only.

5 - Select the **I acknowledge that AWS CloudFormation might create IAM resources with custom names.** checkbox
6 - Click **Create stack** button at bottom right
Expand All @@ -58,6 +60,63 @@ This approach allows customers to manage all access to their S3 buckets in a sin

![s3info](@site/docs/en/cloud/security/images/secures3_output.jpg)

#### Option 2: Manually create IAM role.

1 - Login to your AWS Account in the web browser with an IAM user that has permission to create & manage IAM role.

2 - Browse to IAM Service Console

3 - Create a new IAM role with the following IAM & Trust policy. Note that the name of the IAM role **must start with** `ClickHouseAccessRole-` for this to work.

Trust policy (Please replace {ClickHouse_IAM_ARN} with the IAM Role arn belong to your ClickHouse instance):

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "{ClickHouse_IAM_ARN}"
},
"Action": "sts:AssumeRole",
}
]
}
```

IAM policy (Please replace {BUCKET_NAME} with your bucket name):

```
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::{BUCKET_NAME}"
],
"Effect": "Allow"
},
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::{BUCKET_NAME}/*"
],
"Effect": "Allow"
}
]
}
```

4 - Copy the new **IAM Role Arn** after creation. This is what needed to access your S3 bucket.

## Access your S3 bucket with the ClickHouseAccess Role

ClickHouse Cloud has a new feature that allows you to specify `extra_credentials` as part of the S3 table function. Below is an example of how to run a query using the newly created role copied from above.
Expand All @@ -75,4 +134,4 @@ describe table s3('https://s3.amazonaws.com/BUCKETNAME/BUCKETOBJECT.csv','CSVWit

:::note
We recommend that your source S3 is in the same region as your ClickHouse Cloud Service to reduce on data transfer costs. For more information, refer to [S3 pricing]( https://aws.amazon.com/s3/pricing/)
:::
:::

0 comments on commit 56bdf52

Please sign in to comment.