# Configure Cross-account Catalog to Access AWS Hive Metastore

To connect your e6data Workspace to a Hive Metastore and S3 data source in a different cloud account, please follow the steps below:

{% hint style="info" %}
This guide assumes:

* the e6data Workspace (clusters/compute) is installed in a cloud account named <mark style="color:purple;">**Account A.**</mark>
* the AWS Glue metastore & S3 data stores are located in a different cloud account named <mark style="color:green;">**Account B.**</mark>
* Both <mark style="color:purple;">**Account A**</mark> & <mark style="color:green;">**Account B**</mark> are in the same AWS region.
  {% endhint %}

### Step 1: Create policies to access Hive & S3 data sources in <mark style="color:green;">**Account B**</mark>

1. Sign in to the <mark style="color:green;">**Account B**</mark> AWS Console.
2. Search for **IAM.**
3. In the navigation pane, choose **Roles**.
4. Click **Create role**.
5. Under **Select type of trusted entity**, choose **AWS account**.
6. Click on **Another AWS account** to enter the **Account ID**.
7. Enter the account ID of <mark style="color:purple;">**Account A**</mark><mark style="color:blue;">.</mark>
8. Click **Next: Permissions**.
9. Attach the below policy to the role.
10. Replace the ARN of the S3 bucket/s containing the data.&#x20;

**S3 & Hive Policy**

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:GetObjectVersion"
      ],
      "Resource": [
        "arn:aws:s3:::EXAMPLE-BUCKET/*",
        "arn:aws:s3:::EXAMPLE-BUCKET"
      ],
      "Effect": "Allow"
    }
  ]
}
```

* Click **Next: Add tags**.
* Optional: You can add tags to the role. Or leave these fields blank, and click **Next: Review**.
* Enter a **Role name** that follows your organization's naming convention.
* Click **Create role**.

1. Copy the ARN of the newly created role.

Step 2: Configure access in <mark style="color:purple;">**Account A**</mark>

* In <mark style="color:green;">**Account B**</mark>, copy the ARN of the role created in
* Sign in to the <mark style="color:purple;">**Account A**</mark> AWS Console.
* Create a policy and choose the **JSON** view.
* Replace the ARN with the ARN of the role created in <mark style="color:green;">**Account B**</mark>.
* Copy & paste the edited
* In <mark style="color:purple;">**Account A**</mark>, attach the policy created in Step 3 to:

  e6data\_engine\_role (e6data-workspace-\<workspace\_name>-engine-role)

**STS Policy**&#x20;

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::ACCOUNT_B_ID:role/ROLENAME"
    }
  ]
}
```