# Configure Cross-account Catalog to Access Unity Catalog

To connect your e6data Workspace to a unity catalog and S3 data source in a different cloud account, please follow the steps below:

{% hint style="info" %}
This guide assumes:

* the e6data Workspace (clusters/compute) is installed in a cloud account named <mark style="color:purple;">**Account A.**</mark>
* the unity catalog & S3 data stores are located in a different cloud account named <mark style="color:green;">**Account B.**</mark>
* Both <mark style="color:purple;">**Account A**</mark> & <mark style="color:green;">**Account B**</mark> are in the same AWS region.
  {% endhint %}

### Step 1: Create policies to access S3 data sources in <mark style="color:green;">**Account B**</mark>

1. Sign in to the <mark style="color:green;">**Account B**</mark> AWS Console.
2. Search for **IAM.**
3. In the navigation pane, choose **Roles**.
4. Click **Create role**.
5. Under **Select type of trusted entity**, choose **AWS account**.
6. Click on **Another AWS account** to enter the **Account ID**.
7. Enter the account ID of <mark style="color:purple;">**Account A**</mark><mark style="color:blue;">.</mark>
8. Click **Next: Permissions**.
9. Attach the below policy to the role.
10. Replace the ARN of the S3 bucket/s containing the data.&#x20;

**S3 & Hive Policy**

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:GetObjectVersion"
      ],
      "Resource": [
        "arn:aws:s3:::EXAMPLE-BUCKET/*",
        "arn:aws:s3:::EXAMPLE-BUCKET"
      ],
      "Effect": "Allow"
    }
  ]
}
```

* Click **Next: Add tags**.
* Optional: You can add tags to the role. Or leave these fields blank, and click **Next: Review**.
* Enter a **Role name** that follows your organization's naming convention.
* Click **Create role**.

1. Copy the ARN of the newly created role.

Step 2: Configure access in <mark style="color:purple;">**Account A**</mark>

* In <mark style="color:green;">**Account B**</mark>, copy the ARN of the role created in
* Sign in to the <mark style="color:purple;">**Account A**</mark> AWS Console.
* Create a policy and choose the **JSON** view.
* Replace the ARN with the ARN of the role created in <mark style="color:green;">**Account B**</mark>.
* Copy & paste the edited
* In <mark style="color:purple;">**Account A**</mark>, attach the policy created in Step 3 to:

  e6data\_engine\_role (e6data-workspace-\<workspace\_name>-engine-role)

**STS Policy**&#x20;

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::ACCOUNT_B_ID:role/ROLENAME"
    }
  ]
}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.e6data.com/product-documentation/catalogs/create-catalogs/cross-account-catalog-access/configure-cross-account-catalog-to-access-unity-catalog.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.