Create a Data Credential
VeloDB adopts a storage-compute separation architecture, where data is typically stored in object storage. To ensure that the warehouse can access the underlying data properly, a Data Credential must be created in advance. The core of a Data Credential involves creating an IAM policy and an IAM role. VeloDB will automatically attach this role to the EC2 used by the VeloDB warehouse. Below are the detailed steps.
Step 1: Create an S3 Bucket
First, you need to prepare an S3 Bucket. If you already have one, you can skip this step and proceed to Step 2.
NOTE The S3 bucket you use must be located in the same AWS region where your VeloDB warehouses are deployed. If you do not already have a bucket in that region, please create one before proceeding.
- Log in to the AWS S3 Console as a user with administrator privileges.
- Click the Create bucket button.
- On the create bucket page, set the following options:
- Enter a name for the bucket.
- Select the AWS region that you will use for your VeloDB warehouse deployment.
- Enable Bucket Versioning (recommended).
- Click Create bucket.
- Copy the bucket name to add to VeloDB console.
Step 2: Create an IAM Policy
After the S3 bucket is provisioned, create an IAM policy that grants read and write access to the bucket.
-
Log into the AWS IAM Console (opens in a new tab) as a user with administrator privileges.
-
Click the Policies tab in the sidebar.
-
Click the Create policy button.
-
In the policy editor, click the JSON tab.
-
Copy and paste the following access policy into the editor, replacing
<YOUR-BUCKET-NAME>with the name of the S3 bucket you prepared in the previous step.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Resource": "arn:aws:s3:::<YOUR-BUCKET-NAME>", "Action": [ "s3:GetBucketLocation", "s3:GetBucketVersioning", "s3:PutBucketCORS", "s3:ListBucket", "s3:ListBucketVersions", "s3:ListBucketMultipartUploads" ] }, { "Effect": "Allow", "Resource": "arn:aws:s3:::<YOUR-BUCKET-NAME>/*", "Action": [ "s3:GetObject", "s3:GetObjectVersion", "s3:PutObject", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts" ] }, { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": "*" } ] } -
Click the Next button.
-
In the Name field, enter a policy name.(e.g.VeloDBDataStorageAccess)
-
Click Create policy.
Step 3: Create a Service IAM Role
-
Click the Roles tab in the IAM console sidebar.
-
Click Create role.
- Trusted entity type: Select AWS service.
- Use cases: Select EC2.
- Click the Next button.
- Attach Permission Policies: In the policy search box, enter the name of the policy you created in Step 2.
- In the role name field, enter a role name. (e.g. VeloDBDataStorageAccessRole)
- Click Create role.
-
Update the Role's Trust Relationships.
Now that you have created the role, you must update its trust policy to make it self-assuming. In the IAM role you just created, go to the Trust Relationships tab and edit the trust relationship policy as follows, replacing the
<YOUR-AWS-ACCOUNT-ID>and<YOUR-ROLE-NAME>values.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com", "AWS": "arn:aws:iam::<YOUR-AWS-ACCOUNT-ID>:role/<YOUR-ROLE-NAME>" }, "Action": "sts:AssumeRole" } ] } -
In the role summary, copy the Instance Profile ARN (format: arn:aws:iam::
<YOUR-AWS-ACCOUNT-ID>:instance-profile/<YOUR-ROLE-NAME>) to add to VeloDB console.