Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update secure-s3.md #1600

Merged
merged 1 commit into from
Oct 20, 2023
Merged

Update secure-s3.md #1600

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 62 additions & 3 deletions docs/en/cloud/security/secure-s3.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,9 @@ This approach allows customers to manage all access to their S3 buckets in a sin

![s3info](@site/docs/en/cloud/security/images/secures3_arn.jpg)

### Setting up Cloudformation stack
### Setting up IAM assume role

#### Option 1: Deploying with Cloudformation stack

1 - Login to your AWS Account in the web browser with an IAM user that has permission to create & manage IAM role.

Expand All @@ -48,7 +50,7 @@ This approach allows customers to manage all access to their S3 buckets in a sin
| Bucket Access | Read | Sets the level of access for the provided buckets. |
| Bucket Names | | Comma separated list of **bucket names** that this role will have access to. |

*Note*: do not put the full bucket Arn but instead just the bucket name only.
*Note*: Do not put the full bucket Arn but instead just the bucket name only.

5 - Select the **I acknowledge that AWS CloudFormation might create IAM resources with custom names.** checkbox
6 - Click **Create stack** button at bottom right
Expand All @@ -58,6 +60,63 @@ This approach allows customers to manage all access to their S3 buckets in a sin

![s3info](@site/docs/en/cloud/security/images/secures3_output.jpg)

#### Option 2: Manually create IAM role.

1 - Login to your AWS Account in the web browser with an IAM user that has permission to create & manage IAM role.

2 - Browse to IAM Service Console

3 - Create a new IAM role with the following IAM & Trust policy. Note that the name of the IAM role **must start with** `ClickHouseAccessRole-` for this to work.

Trust policy (Please replace {ClickHouse_IAM_ARN} with the IAM Role arn belong to your ClickHouse instance):

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "{ClickHouse_IAM_ARN}"
},
"Action": "sts:AssumeRole",
}
]
}
```

IAM policy (Please replace {BUCKET_NAME} with your bucket name):

```
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::{BUCKET_NAME}"
],
"Effect": "Allow"
},
{
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::{BUCKET_NAME}/*"
],
"Effect": "Allow"
}
]
}
```

4 - Copy the new **IAM Role Arn** after creation. This is what needed to access your S3 bucket.

## Access your S3 bucket with the ClickHouseAccess Role

ClickHouse Cloud has a new feature that allows you to specify `extra_credentials` as part of the S3 table function. Below is an example of how to run a query using the newly created role copied from above.
Expand All @@ -75,4 +134,4 @@ describe table s3('https://s3.amazonaws.com/BUCKETNAME/BUCKETOBJECT.csv','CSVWit

:::note
We recommend that your source S3 is in the same region as your ClickHouse Cloud Service to reduce on data transfer costs. For more information, refer to [S3 pricing]( https://aws.amazon.com/s3/pricing/)
:::
:::
Loading