To configure and use metadata table scan for Amazon S3, you must assign specific AWS permissions to the IAM user whose credentials are used to create the S3 object storage instance. These permissions enable Commvault Cloud to create and manage S3 metadata tables, integrate with AWS Lake Formation, and access metadata reports.
AWS Lake Formation Configuration
Configure AWS Lake Formation in each region where your S3 buckets are located.
Add IAM User as Lake Formation Administrator
For each region:
-
Open the AWS console and navigate to AWS Lake Formation.
-
Go to Administrative roles and tasks.
-
Click Add administrators.
-
Add the IAM user whose credentials are used for the S3 object storage configuration.
This grants the necessary permissions to manage S3 Tables and metadata table configurations.
Grant Access to S3 Tables
After configuring Lake Formation administrators, grant permissions to access the journal and S3 metadata tables for your S3 buckets.
Procedure
-
On the AWS console, go to AWS Lake Formation.
-
Under Choose catalog, select the aws-s3 catalog.
-
Click on the journal table for the respective bucket.
-
Under the Actions tab, select Grant permissions.
-
Grant the necessary permissions to your IAM user.
Repeat this process for each bucket where metadata table scan will be enabled.
Required IAM Policy
Add the following IAM policy to the IAM user whose credentials are used to create the S3 object storage instance. This policy provides the necessary permissions for S3 metadata tables, S3 Tables, AWS Glue, Amazon Athena, and AWS Lake Formation.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3MetadataTablePermissions",
"Effect": "Allow",
"Action": [
"s3:CreateBucketMetadataTableConfiguration",
"s3:DeleteBucketMetadataTableConfiguration",
"s3:GetBucketMetadataTableConfiguration",
"s3:UpdateBucketMetadataInventoryTableConfiguration",
"s3:UpdateBucketMetadataJournalTableConfiguration"
],
"Resource": "*"
},
{
"Sid": "S3TablesPermissions",
"Effect": "Allow",
"Action": [
"s3tables:CreateNamespace",
"s3tables:CreateTable",
"s3tables:CreateTableBucket",
"s3tables:PutTablePolicy",
"s3tables:PutTableEncryption",
"s3tables:DeleteTableBucket",
"s3tables:GetTable"
],
"Resource": "*"
},
{
"Sid": "GluePermissions",
"Effect": "Allow",
"Action": [
"glue:PassConnection",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables",
"glue:CreateTable",
"glue:UpdateTable",
"glue:DeleteTable",
"glue:GetCatalog"
],
"Resource": "*"
},
{
"Sid": "AthenaPermissions",
"Effect": "Allow",
"Action": [
"athena:StartQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:StopQueryExecution",
"athena:ListWorkGroups",
"athena:GetWorkGroup"
],
"Resource": "*"
},
{
"Sid": "LakeFormationAndKMSPermissions",
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"lakeformation:RegisterResource",
"lakeformation:RegisterResourceWithPrivilegedAccess",
"lakeformation:DescribeResource"
],
"Resource": "*"
}
]
}