Credential Vending¶
Credential Vending provides temporary, down-scoped credentials for secure access to the following Unity Catalog securables:
Credential Vending uses CredentialOperations to vend credentials to get temporary access to assets (data) stored in the following cloud object storages:
- Amazon S3
- Microsoft Azure
- Google Cloud
Privileges¶
Credential Vending supports the following privileges:
SELECT
UPDATE
Permissions
Privileges is a synonym of Permissions.
Amazon S3¶
For UC OSS to work with S3, you need a role (you give the arn of that role in the properties) that has access to the bucket (also set in the properties) and you also need a user that can assume that role (and you provide the creds for that user in the properties)
In order to properly downscope vended credentials (when asking for creds to a specific table, etc.), we need to be able to assume a role that has broader bucket access.
UC OSS doesn't yet support more advanced AWS access-like identity federation, etc.
And later Alex wrote:
you need to set a
roleArn
in theserver.properties
that has access to the bucket AND which the instance profile attached to the server can assume.This is how scoped AWS credentials work (you need to assume a role that has access to the bucket in order to give scoped temporary credentials)