tS3Connection
tS3Connection Standard properties
These properties are used to configure tS3Connection running in the Standard Job
framework.
The Standard
tS3Connection component belongs to the Cloud family.
The component in this framework is available in all Talend
products.
Basic settings
Access Key |
The Access Key ID that uniquely identifies an |
Secret Key |
The Secret Access Key, constituting the security To enter the secret key, click the […] button next to |
Inherit credentials from AWS |
Select this check box to obtain AWS security credentials |
Assume Role |
If you temporarily need some access permissions associated Ensure that access to this role has been
For an example about an IAM role and its related policy types, see Create and Manage AWS IAM Roles from the AWS |
Region |
Specify the AWS region by selecting a region name from the |
Encrypt |
Select this check box and from the Key type drop-down list displayed,
select one of the following three options for encrypting the data on the client-side before sending to Amazon S3. For more information, see Protecting Data Using Client-Side Encryption.
|
Advanced settings
Use a custom region endpoint |
Select this check box to use a custom endpoint and in the field |
Config client |
Select this check box if you want to use
Client Parameter: select
Value: enter the For related information, go to Client Configuration. |
Check S3 Accessibility |
Leave this check box selected so that the component verifies the credentials to be used for this connection request to S3 before proceeding to further actionst. It is recommended to use the default By Account Owner option for this verification. The By Bucket Configuration option employs an old verification approach which could significantly increase your network load in some circumstances. |
Enable Accelerate |
Select this check box to enable fast, easy and secure transfers of files over long distances between your client and an S3 bucket. To take it into account, you should enable this acceleration mode on the S3 bucket in advance. |
STS |
Select this check box and in the field displayed, specify the This service allows you to request temporary, For a list of the STS endpoints you can use, see This check box is available only when the Assume role check box is selected. |
tStatCatcher Statistics |
Select this check box to collect log data at |
Global Variables
ERROR_MESSAGE |
The error message generated by the component when an error occurs. This is an After |
Usage
Usage rule |
As a start component, this component is to be |
Dynamic settings |
Click the [+] button to add a row in the table Once a dynamic parameter is defined, the Component List box in the Basic For examples on using dynamic parameters, see Reading data from databases through context-based dynamic connections and Reading data from different MySQL databases using dynamically loaded connection parameters. For more information on Dynamic |
Creating an IAM role on AWS
- You have the appropriate rights and permissions to create a new role on AWS.
- Log in to your account on AWS and navigate to the AWS console.
- Select IAM.
- In the navigation pane of the IAM console, select Roles, and then select Create role.
- Select AWS service and in the Choose the service that will use this role section, select the AWS service to be run with your Job. For example, select Redshift.
-
Select the use case to be used for this service. An use case in terms of AWS is defined by the service to include the trust policy that this service requires. Depending on the service and the use case that you selected, the available options vary. For example, with Redshift, you can choose an use case from:
- Redshift (with a pre-defined Amazon Redshift
Service Linked Role Policy); - Redshift – Customizable. In this use case, you are prompted to select either read-only policies or full-access policies.
- Redshift (with a pre-defined Amazon Redshift
- In the Role name field, enter the name to be used for the role being created.
- Select Create role.
full documentation about creating a role on AWS, see Role creation from the AWS
documentation.
Setting up SSE KMS for your EMR cluster
SSE KMS related operations for getting started with the security configuration for EMR.
If you need the complete information about all the available EMR security configurations
provided by AWS, see Create a Security Configuration from the
Amazon documentation.
-
If not yet done, go to https://console.aws.amazon.com/kms
to create a customer managed CMK to be used by the SSE KMS service. For detailed
instructions about how to do this, see this tutorial from the AWS
documentation.-
When adding roles, among other roles to be added depending on your
security policy, you must add the EMR_EC2_DefaultRole role.The EMR_EC2_DefaultRole role allows your
Jobs for Apache Spark to read or write files encrypted with SSE-KMS on
S3.This role is a default AWS role that is
automatically created along with the creation of your first EMR
cluster. If this role and its associated policies do not exist in
your account, see Use Default IAM Roles and
Managed Policies from the AWS documentation
-
-
On the Amazon EMR page of
AWS, select the Security configurations
tab and click Create to open the
Create security configuration
view. -
Select the At-rest encryption check box
to enable SSE KMS. -
Under S3 data encryption, select
SSE-KMS for Encryption mode
and select the CMK key mentioned at the beginning of this procedure for
AWS KMS Key. -
Under Local disk encryption, select AWS
KMS for Key provider type and select the
CMK key mentioned at the beginning of this procedure for AWS KMS
Key. -
Click Create to validate your security configuration.
In the real-world practice, you can also configure the other security options such as Kerberos and IAM roles for EMRFS before clicking this Create button.
- Click Clusters and once the Create Cluster page is open, click Go to advanced options to start creating the EMR cluster step by step.
-
At the last step called Security, in the Authentication and
encryption section, select the Security Configuration created in the previous steps.
Setting up SSE KMS for your S3 bucket
instructions about how to do this, see this tutorial from the AWS
documentation.
SSE KMS related operations for getting started with the security configuration for EMR.
If you need the complete information about all the available EMR security configurations
provided by AWS, see Create a Security Configuration from the
Amazon documentation.
- Open your S3 service at https://s3.console.aws.amazon.com/.
-
From the S3 bucket list, select the bucket to be used. Ensure
that you have proper rights and permissions to access this bucket. -
Select the Properties tab
and then Default encryption. - Select AWS-KMS.
-
Select the KMS CMK key to be used.
-
Select the Permissions tab, then select
Bucket Policy and enter your policy in the
console.This article from AWS provides detailed explanations and a simple policy
example: How to Prevent Uploads of Unencrypted Objects
to Amazon S3. - Click Save to save your policy.
the following parameter about AWS signature versions to the JVM argument list of this Job:
1 2 |
-Dcom.amazonaws.services.s3.enableV4 |
For further information about AWS Signature Versions, see Specifying the Signature Version in Request
Authentication.
Related scenario
For tS3Connection related scenarios, see Exchange files with Amazon S3.