Configuring STS for Data Fabric
Describes how to configure the AWS role and enable STS when you import an external S3 object store into the global namespace of the HPE Ezmeral Data Fabric.
Enabling STS is a two-step process:
- Configure the role in your AWS environment. See Configuring a Role for Data Fabric in AWS.
- Use the
maprcli
to import the external AWS S3 object store. See Using the clustergroup addexternal Command to Import the AWS S3 Object Store.
Configuring a Role for Data Fabric in AWS
Before importing an external S3 object store into the global namespace, you must
configure your AWS environment as follows. In AWS:
- Create an external identity provider, being sure to select the
type
asOIDC
: - Click Get thumbprint to get the thumbprint.
- Follow the steps in the link to verify the thumbprint belongs to the Keycloak instance.
- Set the Audience field to edf-client, and click Add provider.`
- Navigate to create role, and select the
Web identity role type:
- Select the identity provider that you created in the previous step, select the Audience as edf-client, and click Next.
- Assign the permission policies that are applicable for this role. Any entity
assuming this role will have these permissions:
- Click Next.
- Provide a name, and verify the configuration, and then click create role.
- Navigate to the newly created role to get its ARN.
You must provide the ARN when you use the
maprcli
command to import AWS S3 into the global namespace by using STS:
Using the clustergroup addexternal Command to Import the AWS S3 Object Store
Starting with release 7.7.0, the
maprcli clustergroup addexternal
command is enhanced with a new option to support STS-based access. The command,
which is used to import external S3 servers, includes a new
-awswebidrolearn
option. To enable STS when you run the
command, you must:- Specify the
-awswebidrolearn
option - Set the
-type
option tos3
- Set the
-s3vendor
option toaws
When you use these settings, Data Fabric ignores the
provided access key and secret key and ensures that S3 access for the server is
achieved through STS using the specified -awswebidrolearn
.
The following example command configures an external S3 object store to use STS
access:
maprcli clustergroup addexternal -type s3 -s3vendor aws -awswebidrolearn 'arn:aws:iam::74601xxxxxxx:role/Keycloak-webid-s3-readonly'
Related maprcli Commands
To implement the features described on this page, Data Fabric relies on the following
maprcli
command. A link to this command is provided for general
reference. For more information, see maprcli Commands in This Guide.