How to Enable S3 Cloud Storage in Hue

CDH 5.9.0 added support for Amazon S3 in Hue using Cloudera Manager safety valves.

CDH 5.10.0 connects Hue securely with the Cloudera S3 Connector Service (in Kerberized clusters).

Enable S3 in Hue with the S3 Connector Service

The Cloudera S3 Connector service is the preferred method of connecting Hue to Amazon S3. It requires a secure cluster with Kerberos and Sentry and connects to an AWS account with access keys.



  1. Log on to Cloudera Manager.
  2. Select Administration > AWS Credentials and click Add.
  3. Select Access Key Authentication and add any Name.
    1. To connect your AWS root user, add the Access Key ID and Secret Access Key for your root account.
    2. To connect an IAM user, add the Access Key ID and Secret Access Key for a read-only IAM account.
  4. Click Enable for <cluster name> to give Hue access to S3 and S3-backed tables. Impala must have permissions defined in Sentry.
  5. Click Continue (at Step ) if your cluster passes validation. You are automatically taken to step 5.
  6. Click Continue (at Step ) to restart Hive, Impala, Oozie, and Hue.
  7. When finished, click Home to see the S3 Connector.

  8. If using IAM roles, set the region to us-east-1 in hue_safety_valve.ini. If not, ignore this step.
    1. Select Configuration > Advanced Configuration Snippets.
    2. Filter by Scope > Hue.
    3. Set Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini with the following:
      [aws]
      [[aws_accounts]]
      [[[default]]]
      region=us-east-1
    4. Click Save Changes.
    5. Restart Hue: select Cluster > Hue and Actions > Restart.

Related topics: How to Configure AWS Credentials and Configuring the Amazon S3 Connector.

Enable S3 in Hue with Safety Valves

This section assumes an AWS account with access keys, but not necessarily a Kerberized cluster.

You can connect to S3 using three safety valves (also known as Advanced Configuration Snippets):
  • Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini
  • Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml
  • Hive Service Advanced Configuration Snippet (Safety Valve) for core-site.xml.


  1. Log on to Cloudera Manager and select Clusters > your cluster.
  2. Select Configuration > Advanced Configuration Snippets.
  3. Filter by Scope > Hue.
  4. Set your S3 credentials in Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini:
    [aws]
    [[aws_accounts]]
    [[[default]]]
    access_key_id_script=</path/to/access_key_script>
    secret_access_key_script=</path/to/secret_key_script>
    #security_token=<your AWS security token>
    allow_environment_credentials=false
    region=<your region, such as us-east-1> 
    For a proof-of-concept installation, you can add the IDs directly.
    access_key_id=<your_access_key_id>
    secret_access_key=<your_secret_access_key>
  5. Clear the scope filters and search on "core-site.xml".
  6. To enable the S3 Browser, set your S3 credentials in Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml:
    <property>
    <name>fs.s3a.access.key</name>
    <value>AWS access key ID</value>
    </property>
    
    <property>
    <name>fs.s3a.secret.key</name>
    <value>AWS secret key</value>
    </property>
  7. To enable Hive with S3, set your S3 credentials in Hive Service Advanced Configuration Snippet (Safety Valve) for core-site.xml.
  8. Click Save Changes.
  9. Restart Hue: select Cluster > Hue and Actions > Restart.
  10. Restart Hive: select Cluster > Hive and Actions > Restart.

Related topics: How to Configure Security for Amazon S3.

Generate Access Keys in AWS

To integrate Hue with S3, you must have an Amazon Web Services (AWS) account , with access keys for either your root user or a read-only IAM user.

Root Account

  1. Create an AWS account and sign in to the AWS Console.
  2. Create access keys for this AWS root account:
    1. Expand the drop-down menu under your account name and select My Security Credentials.
    2. Click Continue to Security Credentials.
    3. Expand Access Keys (Access Key ID and Secret Access Key).
    4. Click Create New Access Key.
    5. Click Show Access Key or Download Key File. These are your AWS root credentials.

IAM Account

  1. Create two IAM groups (AWS admin and S3 Read-only):
    1. Go to the IAM service.
    2. Click Groups and Create New Group.
    3. Enter a name and click Next Step.
    4. Filter on "admin" and select the AdministratorAccess policy.
    5. Click Next Step and Create Group.
    6. Create a second group with AmazonS3ReadOnlyAccess.
  2. Create two IAM users and assign one to the admin policy and one to the S3 read policy.
    1. Click Users and Add User.
    2. Enter a name, and at a minimum, select Programmatic access.
    3. Click Next: Permissions.
    4. Select the group with administrator permissions.
    5. Click Next: Review and Create User.
    6. Create a second user and assign the group with S3 read-only access.
  3. Create access keys for your read-only IAM user:
    1. Click the name of your read-only IAM user.
    2. Click the Security Credentials tab.
    3. Click Create Access Key.
    4. Click Show Access Key or Download Key File. These are your IAM user credentials.