- Release Notes
- Get Started
- Clusters
- Cloud Settings
- Table Type
- Query Data Lakes
- Integration
- Query Acceleration
- Data Loading
- Concepts
- Batch load data from Amazon S3
- Batch load data from Azure cloud storage
- Load data from a local file system
- Load data from Confluent Cloud
- Load data from Amazon MSK
- Load data from Amazon Kinesis
- Data Unloading
- Data Backup
- Security
- Console Access Control
- Data Access Control
- Application keys
- Service accounts
- Use SSL connection
- Alarm
- Usage and Billing
- Organizations and Accounts
- Reference
- Amazon Web Services (AWS)
- Microsoft Azure
- SQL Reference
- Keywords
- ALL statements
- User Account Management
- Cluster Management
- ADMIN CANCEL REPAIR
- ADMIN CHECK TABLET
- ADMIN REPAIR
- ADMIN SET CONFIG
- ADMIN SET REPLICA STATUS
- ADMIN SHOW CONFIG
- ADMIN SHOW REPLICA DISTRIBUTION
- ADMIN SHOW REPLICA STATUS
- ALTER RESOURCE GROUP
- ALTER SYSTEM
- CANCEL DECOMMISSION
- CREATE FILE
- CREATE RESOURCE GROUP
- DROP FILE
- DROP RESOURCE GROUP
- EXPLAIN
- INSTALL PLUGIN
- SET
- SHOW BACKENDS
- SHOW BROKER
- SHOW COMPUTE NODES
- SHOW FRONTENDS
- SHOW FULL COLUMNS
- SHOW INDEX
- SHOW PLUGINS
- SHOW PROCESSLIST
- SHOW RESOURCE GROUP
- SHOW TABLE STATUS
- SHOW FILE
- SHOW VARIABLES
- UNINSTALL PLUGIN
- DDL
- ALTER DATABASE
- ALTER MATERIALIZED VIEW
- ALTER TABLE
- ALTER VIEW
- ANALYZE TABLE
- BACKUP
- CANCEL ALTER TABLE
- CANCEL BACKUP
- CANCEL RESTORE
- CREATE ANALYZE
- CREATE DATABASE
- CREATE EXTERNAL CATALOG
- CREATE INDEX
- CREATE MATERIALIZED VIEW
- CREATE REPOSITORY
- CREATE TABLE AS SELECT
- CREATE TABLE LIKE
- CREATE TABLE
- CREATE VIEW
- CREATE FUNCTION
- DROP ANALYZE
- DROP STATS
- DROP CATALOG
- DROP DATABASE
- DROP INDEX
- DROP MATERIALIZED VIEW
- DROP REPOSITORY
- DROP TABLE
- DROP VIEW
- DROP FUNCTION
- KILL ANALYZE
- RECOVER
- REFRESH EXTERNAL TABLE
- RESTORE
- SET CATALOG
- SHOW ANALYZE JOB
- SHOW ANALYZE STATUS
- SHOW META
- SHOW FUNCTION
- TRUNCATE TABLE
- USE
- DML
- ALTER LOAD
- ALTER ROUTINE LOAD
- BROKER LOAD
- CANCEL LOAD
- CANCEL EXPORT
- CANCEL REFRESH MATERIALIZED VIEW
- CREATE ROUTINE LOAD
- DELETE
- EXPORT
- GROUP BY
- INSERT
- PAUSE ROUTINE LOAD
- RESUME ROUTINE LOAD
- REFRESH MATERIALIZED VIEW
- SELECT
- SHOW ALTER
- SHOW ALTER MATERIALIZED VIEW
- SHOW BACKUP
- SHOW CATALOGS
- SHOW CREATE CATALOG
- SHOW CREATE MATERIALIZED VIEW
- SHOW CREATE TABLE
- SHOW CREATE VIEW
- SHOW DATA
- SHOW DATABASES
- SHOW DELETE
- SHOW DYNAMIC PARTITION TABLES
- SHOW EXPORT
- SHOW LOAD
- SHOW MATERIALIZED VIEW
- SHOW PARTITIONS
- SHOW REPOSITORIES
- SHOW RESTORE
- SHOW ROUTINE LOAD
- SHOW ROUTINE LOAD TASK
- SHOW SNAPSHOT
- SHOW TABLES
- SHOW TABLET
- SHOW TRANSACTION
- STOP ROUTINE LOAD
- STREAM LOAD
- SUBMIT TASK
- UPDATE
- Auxiliary Commands
- Data Types
- Keywords
- SQL Functions
- Function list
- Java UDFs
- Window functions
- Lambda expression
- Date Functions
- add_months
- adddate
- convert_tz
- current_date
- current_time
- current_timestamp
- date
- date_add
- date_diff
- date_format
- date_slice
- date_sub, subdate
- date_trunc
- datediff
- day
- dayofweek_iso
- dayname
- dayofmonth
- dayofweek
- dayofyear
- days_add
- days_diff
- days_sub
- from_days
- from_unixtime
- hour
- hours_add
- hours_diff
- hours_sub
- jodatime_format
- last_day
- makedate
- microseconds_add
- microseconds_sub
- minute
- minutes_add
- minutes_diff
- minutes_sub
- month
- monthname
- months_add
- months_diff
- months_sub
- next_day
- now
- previous_day
- quarter
- second
- seconds_add
- seconds_diff
- seconds_sub
- str_to_date
- str_to_jodatime
- str2date
- time_slice
- time_to_sec
- timediff
- timestamp
- timestampadd
- timestampdiff
- to_date
- to_days
- to_iso8601
- to_tera_date
- to_tera_timestamp
- unix_timestamp
- utc_timestamp
- week
- week_iso
- weekofyear
- weeks_add
- weeks_diff
- weeks_sub
- year
- years_add
- years_diff
- years_sub
- Aggregate Functions
- any_value
- approx_count_distinct
- array_agg
- avg
- bitmap
- bitmap_agg
- count
- count_if
- corr
- covar_pop
- covar_samp
- group_concat
- grouping
- grouping_id
- hll_empty
- hll_hash
- hll_raw_agg
- hll_union
- hll_union_agg
- max
- max_by
- min
- min_by
- multi_distinct_sum
- multi_distinct_count
- percentile_approx
- percentile_cont
- percentile_disc
- retention
- stddev
- stddev_samp
- sum
- variance, variance_pop, var_pop
- var_samp
- window_funnel
- Geographic Functions
- String Functions
- append_trailing_char_if_absent
- ascii
- char
- char_length
- character_length
- concat
- concat_ws
- ends_with
- find_in_set
- group_concat
- hex
- hex_decode_binary
- hex_decode_string
- instr
- lcase
- left
- length
- locate
- lower
- lpad
- ltrim
- money_format
- null_or_empty
- parse_url
- repeat
- replace
- reverse
- right
- rpad
- rtrim
- space
- split
- split_part
- substring_index
- starts_with
- strleft
- strright
- str_to_map
- substring
- trim
- ucase
- unhex
- upper
- url_decode
- url_encode
- Pattern Matching Functions
- JSON Functions
- Overview of JSON functions and operators
- JSON operators
- JSON constructor functions
- JSON query and processing functions
- Bit Functions
- Bitmap Functions
- Array Functions
- all_match
- any_match
- array_agg
- array_append
- array_avg
- array_concat
- array_contains
- array_contains_all
- array_cum_sum
- array_difference
- array_distinct
- array_filter
- array_generate
- array_intersect
- array_join
- array_length
- array_map
- array_max
- array_min
- array_position
- array_remove
- array_slice
- array_sort
- array_sortby
- array_sum
- arrays_overlap
- array_to_bitmap
- cardinality
- element_at
- reverse
- unnest
- Map Functions
- Binary Functions
- cast function
- hash function
- Cryptographic Functions
- Math Functions
- Pattern Matching Functions
- Percentile Functions
- Scalar Functions
- Struct Functions
- Table Functions
- Utility Functions
- AUTO_INCREMENT
- Generated columns
- System variables
- System limits
- Information Schema
- Overview
- be_bvars
- be_cloud_native_compactions
- be_compactions
- character_sets
- collations
- column_privileges
- columns
- engines
- events
- global_variables
- key_column_usage
- load_tracking_logs
- loads
- materialized_views
- partitions
- pipe_files
- pipes
- referential_constraints
- routines
- schema_privileges
- schemata
- session_variables
- statistics
- table_constraints
- table_privileges
- tables
- tables_config
- task_runs
- tasks
- triggers
- user_privileges
- views
- System Metadatabase
- API
- Overview
- Actions
- Clusters
- Create and Manage Clusters
- Query Clusters
- Identity and Access Management
- Organization and Account
- Usage and Billing
- Clusters
- Terraform Provider
- Run scripts
Create a cross-account IAM role
You need to create a cross-account IAM role, which will be referenced in a deployment credential, either from the Cloud settings page in the CelerData Cloud BYOC console before you create a deployment or as part of the workflow of creating a deployment.
Prerequisites
You have created a data credential and obtained the ARN of the data credential role and the name of the data credential bucket.
NOTE
The IAM role and bucket referenced in the data credential are referred to as the data credential role and the data credential bucket in this topic.
You can follow these steps to obtain the ARN of the data credential role and the name of the data credential bucket:
Sign in to the CelerData Cloud BYOC console.
In the left-side navigation pane, choose Cloud settings > AWS.
On the Data credentials tab of the AWS Cloud page, click the data credential that you want to associate with the deployment credential to be created.
In the right-side pane that appears, copy the Bucket name and save it to a location that you can access later. Also, find the Instance profile ARN, for example,
arn:aws:iam::081976408565:instance-profile/byoc-common
, based on which you can infer that the name of the data credential role isbyoc-common
.Log in to the IAM console.
Navigate to the Roles page and enter byoc-common in the search box to search for the data credential role. Then, click the data credential role you have found.
On the role details page, copy the data credential role's ARN (for example,
arn:aws:iam::081976408565:role/byoc-common
) and save it to a location that you can access later.
Before you begin
To create a cross-account IAM role before deployment, follow these steps:
Sign in to the CelerData Cloud BYOC console.
In the left-side navigation pane, choose Cloud settings > AWS.
On the Deployment credentials tab of the AWS Cloud page, click Create deployment credential.
In the Create deployment credential dialog box, copy the JSON policy template in IAM policy information, the Trust account ID, and the External ID, and save the information you have obtained to a location that you can access later.
To create a cross-account IAM role during deployment, follow these steps:
Sign in to the CelerData Cloud BYOC console.
Start the deployment wizard and proceed to STEP2: Set up your AWS credentials.
In the Deployment credential section, select or create a deployment credential, click Generate policy next to IAM policy information, copy the JSON policy template generated in IAM policy information, the Trust account ID, and the External ID, and then save the information you have obtained to a location that you can access later.
Step 1: Create a cross-account IAM role
Sign in to the AWS IAM console as a user with administrator privileges.
In the left-side navigation pane, choose Access management > Roles.
On the Roles page, click Create role.
The Create role wizard appears, helping you create an IAM role with three steps.
In the Select trusted entity step, do as follows:
a. In the Trusted entity type section, select AWS account.
b. In the An AWS account section, select the check box next to Another AWS account and then paste the Trust account ID that you have obtained in Before you begin to the Account ID field.
c. In the Options section, select the check box next to Require external ID and then paste the External ID that you have obtained in Before you begin to the External ID field.
d. Click Next.
In the Add permissions step, click Next.
In the Name, review, and create step, enter a role name, optionally enter a description or add tags, and then click Create role.
Step 2: Add an inline policy to the cross-account IAM role
In the left-side navigation pane, choose Access management > Roles.
On the Roles page, find the IAM role that you just created and click its name.
In the Permissions policies section of the page that appears, click Add permissions and choose Create inline policy.
In the Specify permissions step, perform either of the following operations depending on whether you create the cross-account IAM role before or during deployment:
If you create the cross-account IAM role before deployment:
Click the JSON tab, delete the existing JSON policy document, and paste the Policy template that you have obtained in Before you begin. In the policy template, replace
<Storage Role ARN>
with the ARN of the data credential role and<s3-bucket-name>
with the name of the data credential bucket. Then, click Review policy.If you create the cross-account IAM role during deployment:
Click the JSON tab, delete the existing JSON policy document, and paste the Policy template that you have obtained in Before you begin. Then, click Review policy.
In the Review Policy step, enter a policy name and click Create policy.
Step 3: Obtain the ARN of the cross-account IAM role
In the Summary section of the role details page that appears, copy the ARN of the cross-account IAM role and save the ARN to a location that you can access later. You will need to provide the ARN when you create a deployment credential.