Set Up Credentials
This page is currently under development and will be updated soon.
In order to be able to create, register, and access arrays through the TileDB Cloud service, you need to set up access credentials. For S3 compatible object stores, TileDB Cloud supports both IAM Roles and Access Credential key pairs. TileDB Cloud securely stores all keys in an encrypted database and never grants your keys to any other user. TileDB Cloud uses your keys in containarized stateless workers, which are under TileDB's full control and inaccessible by any other user's code (e.g., SQL or UDFs).
Note: You can add multiple AWS keys to TileDB Cloud, register different arrays with different keys, select a key to be your default key, and revoke any key at any time.
AWS Access Keys
You can add your AWS keys from the AWS credentials tab of Settings as follows:
AWS Assume Role
With an AWS AssumeRole policy we are solving the very same issue we used keys before: Enable AWS cross-account access, so that a role in one account can access a bucket in a separate account.
When using AWS AssumeRole, temporary keys are created through the Service Token Service (STS), and used from the deployment party (TileDB Cloud Console). This means that for organisation purposes there is no need to create an AWS IAM User for every user logging into TileDB Cloud Console and generate key pairs. Instead, after a User is authenticated, the AssumeRole functionality enables TileDB Cloud Console to access the bucket on behalf of a User and the credentials used in that case can be reused by multiple Users in the same organisation that need to access the same S3 buckets.
As an example, let 's consider the account (Account A) we are signing up with TileDB Cloud to access bucket(s) in User's AWS account (Account B). For that purpose, Account B has a bucket created. The most common setup is to create an IAM role for TileDB Cloud to use and then allow it to access a specific bucket with an AWS S3 bucket policy. Requests for access to the bucket will only be granted coming from our AWS account with our external ID.
Steps:
In TileDB Cloud Console navigate to Settings then select the tab Cloud Credentials
Click Add credentials, then select ARN Role and click Next and Next in the following step which is just a short description
Select tab Existing Role that presents the Account A ID as well as the External ID
Select tab New Role that proposes the JSON Account B can use to create the role. Please note Account A Account ID as well as the External ID
In Account B, User (or Admin) can create the bucket policy
In Account B User (or Admin) can create the role, using Account A ID and External ID
In Account B User (or Admin) has to attach the policy to the role
Obtain ARN for the new role
Then press Next in TileDB Console Add Credentials modal dialog and enter a name for the new AssumeRole Credentials and the ARN obtained in previous step
Test the connection
Example configurations have been detailed below:
AWS IAM Role:
Note: Both the AWS Principal and External ID will be provided when attempting to register the ARN role
AWS S3 Bucket Policy:
Setup KMS for the target bucket
It is possible that encryption is needed for the target bucket
To enable KMS usage for the target bucket, it is needed to edit the policy for the KMS key and add a statement that gives access to the role used previously
Example configuration is provided below
Last updated
