About Using Amazon Resource Names (ARNs) to Access AWS Resources

When you use ARN role based authentication with Autonomous Database, you can securely access AWS resources without creating and saving credentials based on long-term AWS IAM access keys.

For example, you may want to load data from an AWS S3 bucket into your Autonomous Database, perform some operation on the data, and then write the modified data back to the S3 bucket. You can do this without using an ARN if you have AWS user credentials to access the S3 bucket. However, using role-based ARNs to access AWS resources from Autonomous Database has the following benefits:

  • You can create role-based access, with different policies for different users or schemas that need access to AWS resources from an Autonomous Database instance. This allows you to set a policy to limit access to AWS resources by role. For example, setting a policy limiting to read-only access, by role, to an S3 bucket.
  • ARN based credentials provide better security as you do not need to provide long-term AWS user credentials in code to access AWS resources. Autonomous Database manages the temporary credentials generated from the AWS Assume Role Operation.

About Steps to Configure ARN Usage with Autonomous Database

Before creating a credential using an ARN in Autonomous Database, in AWS, your account administrator must define a policy that allows you to access AWS resources, such as an S3 bucket. By default, ARN credential services are not enabled on Autonomous Database. The ADMIN user enables ARN credentials for the necessary user which allows them to create and use ARN credentials on the Autonomous Database instance.

In AWS, the role ARN is the identifier for the provided access and can be viewed on the AWS console. For added security, when the AWS administrator configures the role, policies, and trust relationship for the AWS account, they must also configure an "External ID" in the role's trust relationship.

Note:

Setting the External ID is required for security.

The External ID provides additional protection for assuming roles. You configure the External ID as one of the following: the Autonomous Database compartment OCID, database OCID, or tenancy OCID. On AWS, the role can only be assumed by trusted users that are identified by the External ID included in the request URL, where the supplied External ID in the request matches the External ID configured in the role's trust relationship.

The following figure outlines the configuration steps:

Description of adb_arn_config_steps.png follows
Description of the illustration adb_arn_config_steps.png

For details on the steps to configure Autonomous Database to access AWS resources, see the following:

  • Prerequisite steps on Autonomous Database: On Autonomous Database you must enable the ADMIN user or another user to use credentials with ARN parameters to access AWS resources.

    See Perform Autonomous Database Prerequisites to Use Amazon ARNs for more information.

  • Prerequisite steps in the AWS Account: In your AWS account, from the AWS Management Console or using the CLI, create the roles and policies for the ARN that you use with Autonomous Database, and update the trust relationship for the role. The Oracle user ARN is configured when the trust relationship for the role is updated.

    See Perform AWS Management Prerequisites to Use Amazon Resource Names (ARNs) for more information.

About Steps to Use ARNs with DBMS_CLOUD

Each AWS resource has its own identity, and the resource authenticates with the Autonomous Database instance using a DBMS_CLOUD credential that you create with parameters that identify the ARN. Autonomous Database creates and secures the principal credentials you use to access AWS resources.

To create a credential with ARN parameters to access AWS resources:

  • Create credentials with DBMS_CLOUD.CREATE_CREDENTIAL and supply the parameters that identify an AWS role. Using the credential object, Autonomous Database can access AWS resources as specified in the policies defined for the role in the AWS account.

  • Use the credential object you created in the previous step with a DBMS_CLOUD procedure or function that takes a credential parameter, such as DBMS_CLOUD.COPY_DATA or DBMS_CLOUD.LIST_OBJECTS.

See Create Credentials with ARN Parameters to Access AWS Resources for details on these steps.