Set Up Credentials
In order to be able to create, register, and access arrays through the TileDB Cloud service, you need to set up access credentials. For S3 compatible object stores, TileDB Cloud supports both IAM Roles and Access Credential key pairs. TileDB Cloud securely stores all keys in an encrypted database and never grants your keys to any other user. TileDB Cloud uses your keys in containarized stateless workers, which are under TileDB's full control and inaccessible by any other user's code (e.g., SQL or UDFs).
Note: You can add multiple AWS keys to TileDB Cloud, register different arrays with different keys, select a key to be your default key, and revoke any key at any time.

AWS Access Keys

You can add your AWS keys from the AWS credentials tab of Settings as follows:

AWS IAM Roles

Unlike AWS Access Keys, IAM Roles can be associated with more than one IAM user. Roles can be assumed by more than one person and in TileDB Cloud's case, a specific service. TileDB Cloud assumes the role configured on your TileDB Cloud account, retrieves temporary credentials on its behalf, and then has access to the resources that you have allowed the role to access. The most common setup is to create an IAM role for TileDB Cloud to use and then allow it to access a specific bucket with an AWS S3 bucket policy. Requests for access to the bucket will only be granted coming from our AWS account with our external ID.
Steps:
  1. 1.
    Create an IAM Role using the provided information in TileDB Cloud
  2. 2.
    Create the bucket policy allowing access to the bucket
  3. 3.
    Register the ARN of the role created in step 1 inside TileDB Cloud
  4. 4.
    Test the connection
Example configurations have been detailed below:
AWS IAM Role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<PROVIDED IN UI>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<PROVIDED IN UI>"
}
}
}
]
}
Note: Both the AWS Principal and External ID will be provided when attempting to register the ARN role
AWS S3 Bucket Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListObjectsInBucket",
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Principal": {
"AWS": "<IAM ROLE ARN>"
},
"Resource": ["arn:aws:s3:::<BUCKET NAME>"]
},
{
"Sid": "AllObjectActions",
"Effect": "Allow",
"Action": "s3:*Object",
"Resource": ["arn:aws:s3:::<BUCKET NAME>/*"]
}
]
}
Export as PDF
Copy link
Outline
AWS Access Keys
AWS IAM Roles