Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optimize usage of External ID #18947

Merged
merged 2 commits into from
Oct 9, 2024
Merged

Optimize usage of External ID #18947

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d3859a9
Optimize usage of External ID
ideascf Sep 19, 2024
5f9cab9
Update tidb-cloud/config-s3-and-gcs-access.md
ideascf Oct 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions tidb-cloud/config-s3-and-gcs-access.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ To allow TiDB Cloud to access the source data in your Amazon S3 bucket, you need

Configure the bucket access for TiDB Cloud and get the Role ARN as follows:

1. In the [TiDB Cloud console](https://tidbcloud.com/), get the TiDB Cloud account ID and external ID of the target TiDB cluster.
1. In the [TiDB Cloud console](https://tidbcloud.com/), get the corresponding TiDB Cloud account ID and external ID of the target TiDB cluster.

1. Navigate to the [**Clusters**](https://tidbcloud.com/console/clusters) page of your project.

Expand Down Expand Up @@ -117,7 +117,7 @@ Configure the bucket access for TiDB Cloud and get the Role ARN as follows:

- Under **Trusted entity type**, select **AWS account**.
- Under **An AWS account**, select **Another AWS account**, and then paste the TiDB Cloud account ID to the **Account ID** field.
- Under **Options**, click **Require external ID (Best practice when a third party will assume this role)**, and then paste the TiDB Cloud External ID to the **External ID** field. If the role is created without "Require external ID", once the configuration is done for one TiDB cluster in a project, all TiDB clusters in that project can use the same Role ARN to access your Amazon S3 bucket. If the role is created with the account ID and external ID, only the corresponding TiDB cluster can access the bucket.
- Under **Options**, click **Require external ID** to avoid the [confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html), and then paste the TiDB Cloud External ID to the **External ID** field. If the role is created without "Require external ID", anyone with your S3 bucket URI and IAM role ARN might be able to access your Amazon S3 bucket. If the role is created with both the account ID and external ID, only TiDB clusters running in the same project and the same region can access the bucket.

3. Click **Next** to open the policy list, choose the policy you just created, and then click **Next**.
4. Under **Role details**, set a name for the role, and then click **Create role** in the lower-right corner. After the role is created, the list of roles is displayed.
Expand Down
Loading