Configuring STS for Data Fabric

Before importing an external S3 object store into the global namespace, you must configure your AWS environment as follows. In AWS:

1. Create an external identity provider, being sure to select the type as OIDC:
   
   
2. Click Get thumbprint to get the thumbprint.
3. Follow the steps in the link to verify the thumbprint belongs to the Keycloak instance.
4. Set the Audience field to edf-client, and click Add provider.`
5. Navigate to create role, and select the Web identity role type:
   
   
6. Select the identity provider that you created in the previous step, select the Audience as edf-client, and click Next.
7. Assign the permission policies that are applicable for this role. Any entity assuming this role will have these permissions:
   
   
8. Click Next.
9. Provide a name, and verify the configuration, and then click create role.
10. Navigate to the newly created role to get its ARN. You must provide the ARN when you use the maprcli command to import AWS S3 into the global namespace by using STS:
    
    

Starting with release 7.7.0, the maprcli clustergroup addexternal command is enhanced with a new option to support STS-based access. The command, which is used to import external S3 servers, includes a new -awswebidrolearn option. To enable STS when you run the command, you must:

• Specify the -awswebidrolearn option
• Set the -type option to s3
• Set the -s3vendor option to aws

The following example command configures an external S3 object store to use STS access:

maprcli clustergroup addexternal  -type s3 -s3vendor aws -awswebidrolearn 'arn:aws:iam::74601xxxxxxx:role/Keycloak-webid-s3-readonly'

To implement the features described on this page, Data Fabric relies on the following maprcli command. A link to this command is provided for general reference. For more information, see maprcli Commands in This Guide.

• clustergroup addexternal