Cloud Service Authentication
Overview
When accessing a service on the cloud, we need to provide the credentials needed to access the service so that the service can be authenticated by IAM of cloud vendors.
AWS
Now Doris support two types of authentication to access AWS service.
Catalog Credentials
When access Glue though Iceberg Catalog, we can access tables on Glue by filling in the following properties:
-- Using access key and secret key
CREATE CATALOG glue2 PROPERTIES (
"type"="iceberg",
"iceberg.catalog.type" = "glue",
"glue.endpoint" = "https://glue.us-east-1.amazonaws.com/",
"client.credentials-provider" = "com.amazonaws.glue.catalog.credentials.ConfigAWSProvider",
"client.credentials-provider.glue.access_key" = "ak",
"client.credentials-provider.glue.secret_key" = "sk"
);
System Credentials
For applications running on AWS resources, such as EC2 instances, this approach enhances security by avoiding hardcoded credentials.
If we create the Catalog but not fill any Credentials in properties, the DefaultAWSCredentialsProviderChain
will be used to read in the system environment variables or instance profile.
For details about how to configure environment variables and system properties, see: AWS CLI .
- The configurable environment variables are:
AWS_ACCESS_KEY_ID
、AWS_SECRET_ACCESS_KEY
、AWS_SESSION_TOKEN
、AWS_ROLE_ARN
、AWS_WEB_IDENTITY_TOKEN_FILE
and so on. - In addition, you can also use aws configure to configure Credentials, the Credentials file will be written to the
~/.aws
directory.