Cloud Read/Write Permissions
- Capella Columnar
- reference
This page outlines the required read and write permissions when copying data to or from external cloud providers.
Exclusive permissions are required when reading from cloud storage using External Collections or writing to cloud storage using COPY TO statements.
AWS Simple Storage Service (S3)
Read Permissions
Read permissions are needed when reading from cloud storage using External Collections. To grant the required permissions, follow these steps:
First, create a policy that has the desired permissions:
-
Go to the AWS Console.
-
From the Dashboard, select IAM.
-
Select Policies.
-
Select Create Policy.
-
In the Policy Editor, select JSON.
-
Paste the following policy:
-
s3:ListBucket permission -
s3:GetObject permission{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::your-bucket-name/*" }, { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::your-bucket-name" } ] }
-
-
Give the policy a name and create the policy.
-
Attach the policy to the desired IAM User or Role.
It grants the selected permissions to the selected resources in the policy.
Read and Write Permissions
Read and write permissions are needed when writing to cloud storage using COPY TO statements.
-
Go to the AWS Console.
-
From the Dashboard, select IAM.
-
Select Policies.
-
Select Create Policy.
-
In the Policy Editor, select JSON.
-
Paste the following policy:
-
s3:ListBucket permission -
s3:GetObject permission -
s3:PutObject permission -
s3:DeleteObject permission
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": "arn:aws:s3:::your-bucket-name/*" }, { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::your-bucket-name" } ] } -
You have granted all necessary permissions.
Google Cloud Storage
Read Permissions
Read permissions are needed when reading from cloud storage using External Collections.
To grant the required permissions, follow these steps:
First, create a role that has the desired permissions:
-
Go to the Google Cloud console.
-
From the Dashboard, go to IAM and Admin and select Roles.
-
Select Create Role.
-
Fill in the information (Title, Description, … etc).
-
Select Add Permissions.
-
Select the following permissions:
-
storage.objects.get -
storage.objects.list
-
-
Select Add.
-
Select Create.
Next, add the Service Account to the bucket and assign it the created role above:
-
Go to the Google Cloud console.
-
From the Dashboard, go to Cloud Storage and select Buckets.
-
Select the desired bucket.
-
From the Bucket page, select the Permissions tab.
-
Under View by Principals, select Grant Access.
-
Under Add Principal, add the desired Service Account.
-
Under Assign Roles, select the Role created in the previous steps.
Read and Write Permissions
Read and write permissions are needed when writing to cloud storage using COPY TO statements.
-
Go to the Google Cloud console.
-
From the Dashboard, go to IAM and Admin and select Roles.
-
Select Create Role.
-
Fill in the information (Title, Description, … etc).
-
Select Add Permissions.
-
Select the following permissions:
-
storage.objects.get -
storage.objects.list -
storage.objects.create -
storage.objects.delete
-
-
Select Add.
-
Select Create.
Next, add the Service Account to the bucket and assign it the created role above:
-
Go to the Google Cloud console.
-
From the Dashboard, go to Cloud Storage and select Buckets.
-
Select the desired bucket.
-
From the Bucket page, select the Permissions tab.
-
Under View by Principals, select Grant Access.
-
Under Add Principal, add the desired Service Account.
-
Under Assign Roles, select the Role created in the previous steps.
You have granted all necessary permissions.