From 56bdf52be9558848d0417b0e2fb64c13468aeef8 Mon Sep 17 00:00:00 2001 From: San Date: Fri, 20 Oct 2023 08:18:17 +0000 Subject: [PATCH] Update secure-s3.md Update secure s3 documentation with manual creation steps for Secure S3 access IAM role. --- docs/en/cloud/security/secure-s3.md | 65 +++++++++++++++++++++++++++-- 1 file changed, 62 insertions(+), 3 deletions(-) diff --git a/docs/en/cloud/security/secure-s3.md b/docs/en/cloud/security/secure-s3.md index b0b6a831b0b..a48fb475fcd 100644 --- a/docs/en/cloud/security/secure-s3.md +++ b/docs/en/cloud/security/secure-s3.md @@ -30,7 +30,9 @@ This approach allows customers to manage all access to their S3 buckets in a sin ![s3info](@site/docs/en/cloud/security/images/secures3_arn.jpg) -### Setting up Cloudformation stack +### Setting up IAM assume role + +#### Option 1: Deploying with Cloudformation stack 1 - Login to your AWS Account in the web browser with an IAM user that has permission to create & manage IAM role. @@ -48,7 +50,7 @@ This approach allows customers to manage all access to their S3 buckets in a sin | Bucket Access | Read | Sets the level of access for the provided buckets. | | Bucket Names | | Comma separated list of **bucket names** that this role will have access to. | -*Note*: do not put the full bucket Arn but instead just the bucket name only. +*Note*: Do not put the full bucket Arn but instead just the bucket name only. 5 - Select the **I acknowledge that AWS CloudFormation might create IAM resources with custom names.** checkbox 6 - Click **Create stack** button at bottom right @@ -58,6 +60,63 @@ This approach allows customers to manage all access to their S3 buckets in a sin ![s3info](@site/docs/en/cloud/security/images/secures3_output.jpg) +#### Option 2: Manually create IAM role. + +1 - Login to your AWS Account in the web browser with an IAM user that has permission to create & manage IAM role. + +2 - Browse to IAM Service Console + +3 - Create a new IAM role with the following IAM & Trust policy. Note that the name of the IAM role **must start with** `ClickHouseAccessRole-` for this to work. + +Trust policy (Please replace {ClickHouse_IAM_ARN} with the IAM Role arn belong to your ClickHouse instance): + +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "{ClickHouse_IAM_ARN}" + }, + "Action": "sts:AssumeRole", + } + ] +} +``` + +IAM policy (Please replace {BUCKET_NAME} with your bucket name): + +``` +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "s3:GetBucketLocation", + "s3:ListBucket" + ], + "Resource": [ + "arn:aws:s3:::{BUCKET_NAME}" + ], + "Effect": "Allow" + }, + { + "Action": [ + "s3:Get*", + "s3:List*" + ], + "Resource": [ + "arn:aws:s3:::{BUCKET_NAME}/*" + ], + "Effect": "Allow" + } + ] +} +``` + +4 - Copy the new **IAM Role Arn** after creation. This is what needed to access your S3 bucket. + ## Access your S3 bucket with the ClickHouseAccess Role ClickHouse Cloud has a new feature that allows you to specify `extra_credentials` as part of the S3 table function. Below is an example of how to run a query using the newly created role copied from above. @@ -75,4 +134,4 @@ describe table s3('https://s3.amazonaws.com/BUCKETNAME/BUCKETOBJECT.csv','CSVWit :::note We recommend that your source S3 is in the same region as your ClickHouse Cloud Service to reduce on data transfer costs. For more information, refer to [S3 pricing]( https://aws.amazon.com/s3/pricing/) -::: \ No newline at end of file +:::