S3 parameters
Use the following parameters to configure reading from S3 file systems and on-premises storage with S3-compatible APIs, using COPY. For more information about reading data from S3, see S3 Object Store.
For external tables using highly partitioned data in an object store, see the ObjectStoreGlobStrategy configuration parameter and Partitions on Object Stores.
Query the CONFIGURATION_PARAMETERS system table to determine what levels (node, session, user, database) are valid for a given parameter.- AWSAuth
- ID and secret key for authentication. For extra security, do not store credentials in the database; use ALTER SESSION...SET PARAMETER to set this value for the current session only. If you use a shared credential, you can set it in the database with ALTER DATABASE...SET PARAMETER. For example:
=> ALTER SESSION SET AWSAuth='ID:secret';
In AWS, these arguments are named AccessKeyID and SecretAccessKey.
To use admintools
create_db
orrevive_db
for Eon Mode on-premises, create a configuration file calledauth_params.conf
with these settings:AWSAuth = key:secret AWSEndpoint = IP:port
- AWSCAFile
File name of the TLS server certificate bundle to use. Setting this parameter overrides the Vertica default CA bundle path specified in the SystemCABundlePath parameter.
If set, this parameter overrides the Vertica default CA bundle path specified in the SystemCABundlePath parameter.
=> ALTER DATABASE DEFAULT SET AWSCAFile = '/etc/ssl/ca-bundle.pem';
Default: system-dependent
- AWSCAPath
Path Vertica uses to look up TLS server certificates. The file name of the TLS server certificate bundle to use.
If set, this parameter overrides the Vertica default CA bundle path specified in the SystemCABundlePath parameter.
=> ALTER DATABASE DEFAULT SET AWSCAPath = '/etc/ssl/';
Default: system-dependent
- AWSEnableHttps
Boolean, specifies whether to use the HTTPS protocol when connecting to S3, can be set only at the database level with ALTER DATABASE. If you choose not to use TLS, this parameter must be set to 0.
Default: 1 (enabled)
- AWSEndpoint
- Endpoint to use when interpreting S3 URLs, set as follows.
Important
Do not includehttp(s)://
for AWS endpoints.-
AWS:
hostname_or_ip
:port_number
. -
AWS with a FIPS-compliant S3 Endpoint:
S3_hostname
and enable virtual addressing:Important
Do not include http(s)://AWSEndpoint = s3-fips.dualstack.us-east-1.amazonaws.com S3EnableVirtualAddressing = 1
-
On-premises/Pure: IP address of the Pure Storage server. If using admintools
create_db
orrevive_db
, create configuration fileauth_params.conf
and include these settings:awsauth = key:secret awsendpoint = IP:port
-
When AWSEndpoint is not set, the default behavior is to use virtual-hosted request URLs.
Default:
s3.amazonaws.com
-
- AWSLogLevel
- Log level, one of the following:
-
OFF
-
FATAL
-
ERROR
-
WARN
-
INFO
-
DEBUG
-
TRACE
**Default:**ERROR
-
- AWSRegion
- AWS region containing the S3 bucket from which to read files. This parameter can only be configured with one region at a time. If you need to access buckets in multiple regions, change the parameter each time you change regions.
If you do not set the correct region, you might experience a delay before queries fail because Vertica retries several times before giving up.
Default: us-east-1
- AWSSessionToken
- Temporary security token generated by running the
get-session-token
command, which generates temporary credentials you can use to configure multi-factor authentication.Set this parameter in a user session using ALTER SESSION. You can set this parameter at the database level, but be aware that session tokens are temporary. When the token expires, any attempt to access AWS fails.
Note
If you use session tokens at the session level, you must set all parameters at the session level, even if some of them are set at the database level. Use ALTER SESSION to set session parameters. - AWSStreamingConnectionPercentage
- Controls the number of connections to the communal storage that Vertica uses for streaming reads. In a cloud environment, this setting helps prevent streaming data from communal storage using up all available file handles. It leaves some file handles available for other communal storage operations.
Due to the low latency of on-premises object stores, this option is unnecessary for an Eon Mode database that uses on-premises communal storage. In this case, disable the parameter by setting it to 0.
- S3BucketConfig
- Contains S3 bucket configuration information as a JSON object with the following properties. Each property other than the bucket name has a corresponding configuration parameter (shown in parentheses). If both the property in S3BucketConfig and the configuration parameter are set, the S3BucketConfig property takes precedence.
Properties:
-
bucket
: Name of the bucket -
region
(AWSRegion): Name of the region -
protocol
(AWSEnableHttps): Connection protocol, eitherhttp
orhttps
-
endpoint
(AWSEndpoint): Endpoint URL or IP address -
enableVirtualAddressing
(S3BucketCredentials): Whether to rewrite the S3 URL to use a virtual hosted path -
requesterPays
(S3RequesterPays): Whether requester (instead of bucket owner) pays the cost of accessing data on the bucket -
serverSideEncryption
(S3ServerSideEncryption): Encryption algorithm if using SSE-S3 or SSE-KMS, one ofAES256
,aws:kms
, or an empty string -
sseCustomerAlgorithm
(S3SseCustomerAlgorithm): Encryption algorithm if using SSE-C; must beAES256
-
sseCustomerKey
(S3SseCustomerKey): Key if using SSE-C encryption, either 32-character plaintext or 44-character base64-encoded -
sseKmsKeyId
(S3SseKmsKeyId): Key ID if using SSE-KMS encryption
The configuration properties for a given bucket might differ based on its type. For example, the following S3BucketConfig is for an AWS bucket
AWSBucket
and a Pure Storage bucketPureStorageBucket
.AWSBucket
doesn't specify an endpoint, so Vertica uses the value of AWSEndpoint, which defaults tos3.amazonaws.com
:ALTER DATABASE DEFAULT SET S3BucketConfig= '[ { "bucket": "AWSBucket", "region": "us-east-2", "protocol": "https", "requesterPays": true }, { "bucket": "PureStorageBucket", "endpoint": "pure.mycorp.net:1234", "protocol": "http", "enableVirtualAddressing": false } ]';
-
- S3BucketCredentials
- Contains credentials for accessing an S3 bucket. Each property in S3BucketCredentials has an equivalent parameter (shown in parentheses). When set, S3BucketCredentials takes precedence over both AWSAuth and AWSSessionToken.
Providing credentials for more than one bucket authenticates to them simultaneously, allowing you to perform cross-endpoint joins, export from one bucket to another, etc.
Properties:
-
bucket
: Name of the bucket -
accessKey
: Access key for the bucket (theID
in AWSAuth) -
secretAccessKey
: Secret access key for the bucket (thesecret
in AWSAuth) -
sessionToken
: Session token, only used when S3BucketCredentials is set at the session level (AWSSessionToken)
For example, the following S3BucketCredentials is for an AWS bucket
AWSBucket
and a Pure Storage bucketPureStorageBucket
and sets all possible properties:ALTER SESSION SET S3BucketCredentials=' [ { "bucket": "AWSBucket", "accessKey": "<AK0>", "secretAccessKey": "<SAK0>", "sessionToken": "1234567890" }, { "bucket": "PureStorageBucket", "accessKey": "<AK1>", "secretAccessKey": "<SAK1>" } ]';
This parameter is only visible to the superuser. Users can set this parameter at the session level with ALTER SESSION.
-
- S3EnableVirtualAddressing
- Boolean, specifies whether to rewrite S3 URLs to use virtual-hosted paths. For example, if you use AWS, the S3 URLs change to
bucketname.s3.amazonaws.com
instead ofs3.amazonaws.com/bucketname
. This configuration setting takes effect only when you have specified a value for AWSEndpoint.If you set AWSEndpoint to a FIPS-compliant S3 Endpoint, you must enable S3EnableVirtualAddressing in auth_params.conf:
AWSEndpoint = s3-fips.dualstack.us-east-1.amazonaws.com S3EnableVirtualAddressing = 1
The value of this parameter does not affect how you specify S3 paths.
Default: 0 (disabled)
Note
As of September 30, 2020, AWS requires virtual address paths for newly created buckets. - S3RequesterPays
- Boolean, specifies whether requester (instead of bucket owner) pays the cost of accessing data on the bucket. When true, the bucket owner is only responsible for paying the cost of storing the data, rather than all costs associated with the bucket; must be set in order to access S3 buckets configured as Requester Pays buckets. By setting this property to true, you are accepting the charges for accessing data. If not specified, the default value is false.
- S3ServerSideEncryption
- String, encryption algorithm to use when reading or writing to S3. The value depends on which type of encryption at rest is configured for S3:
-
AES256
: Use for SSE-S3 encryption -
aws:kms
: Use for SSE-KMS encryption -
Empty string (
""
): No encryption
SSE-C encryption does not use this parameter. Instead, see S3SseCustomerAlgorithm.
For details on using SSE parameters, see S3 object store.
Default:
""
(no encryption) -
- S3SseCustomerAlgorithm
- String, the encryption algorithm to use when reading or writing to S3 using SSE-C encryption. The only supported values are
AES256
and""
.For SSE-S3 and SSE-KMS, instead use S3ServerSideEncryption.
Default:
""
(no encryption) - S3SseCustomerKey
- If using SSE-C encryption, the client key for S3 access.
- S3SseKmsKeyId
- If using SSE-KMS encryption, the key identifier (not the key) to pass to the Key Management Server. Vertica must have permission to use the key, which is managed through KMS.