Hive Connector > Introduction to Hive Connector > IAM authentication
  

IAM authentication

To access the file system for staging data on Amazon S3, you can either specify the access key, secret key, and the Amazon S3 property name, each separated by a semicolon in the additional properties in the Hive connection, or you can use IAM authentication.
You can configure IAM authentication for the Secure Agent that runs on an Amazon Elastic Compute Cloud (EC2) system for secure and controlled access to Amazon S3 resources.
When you configure an IAM role, Hive Connector by default uses the IAM role to access the staging directory on Amazon S3.

Configure IAM authentication

Before you connect to Hive using IAM authentication, you must configure IAM authentication on EC2. You can use Hive connections configured for IAM authentication both in mappings and mappings in advanced mode.
    1 Create an IAM role. For more information about creating the IAM role, see the AWS documentation.
    2 After you create the IAM role, assign the following policy to the IAM role:
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "John": "VisualEditor2",
    "Effect": "Allow",
    "Action": [
    "s3:GetBucketLocation",
    "s3:GetEncryptionConfiguration",
    "s3:ListBucket",
    "s3:PutObject",
    "s3:GetObjectAcl",
    "s3:GetObject",
    "s3:PutObjectAcl",
    "s3:DeleteObject",
    "s3:Delete*",
    "s3:Put*",
    "s3:ListBucketMultipartUploads",
    "s3:AbortMultipartUpload"
    ],
    "Resource": [
    "arn:aws:s3:::<hive-staging-bucket-name>/*",
    "arn:aws:s3:::<hive-staging-bucket-name>"
    ]
    }
    ]
    }
    3 Create an EC2 instance. Assign the IAM role that you created in step 2 to the EC2 instance.
    4 Install the Secure Agent on the EC2 system.

Configure IAM authentication for a Hive connection to run mappings in advanced mode

Before you connect to Hive using IAM authentication from a mapping in advanced mode, you must have the following IAM roles to manage an advanced cluster:
Note: Kops role is the default. Master and worker roles are not mandatory if you want to work only with the Kops role.
For more information about these roles, see the Advanced Cluster help.
To use IAM authentication for a Hive Connector to run mappings in advanced mode, perform the following tasks for the advanced cluster:
    1 Create IAM roles. For more information, see the topic "Create IAM roles" in the see the Advanced Cluster help.
    2 After you create the IAM role, you must assign the following policy to the IAM role:
    {
    "Version": "2012-10-17",
    "Statement": [
    {
    "John": "VisualEditor2",
    "Effect": "Allow",
    "Action": [
    "s3:GetBucketLocation",
    "s3:GetEncryptionConfiguration",
    "s3:ListBucket",
    "s3:PutObject",
    "s3:GetObjectAcl",
    "s3:GetObject",
    "s3:PutObjectAcl",
    "s3:DeleteObject",
    "s3:Delete*",
    "s3:Put*",
    "s3:ListBucketMultipartUploads",
    "s3:AbortMultipartUpload"
    ],
    "Resource": [
    "arn:aws:s3:::<hive-staging-bucket-name>/*",
    "arn:aws:s3:::<hive-staging-bucket-name>"
    ]
    }
    ]
    }
    3Log in to Informatica Intelligent Cloud Services and from Administrator, navigate to the System Configuration Details, select Elastic Server as the service, add the ARN of the kops role created: