Optimize usage of External ID

pingcap · Oct 9, 2024 · d3859a9 · d3859a9
1 parent ecc0850
commit d3859a9
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/tidb-cloud/config-s3-and-gcs-access.md b/tidb-cloud/config-s3-and-gcs-access.md
@@ -21,7 +21,7 @@ To allow TiDB Cloud to access the source data in your Amazon S3 bucket, you need
 
 Configure the bucket access for TiDB Cloud and get the Role ARN as follows:
 
-1. In the [TiDB Cloud console](https://tidbcloud.com/), get the TiDB Cloud account ID and external ID of the target TiDB cluster.
+1. In the [TiDB Cloud console](https://tidbcloud.com/), get the corresponding TiDB Cloud account ID and external ID of the target TiDB cluster.
 
     1. Navigate to the [**Clusters**](https://tidbcloud.com/console/clusters) page of your project.
 
@@ -117,7 +117,7 @@ Configure the bucket access for TiDB Cloud and get the Role ARN as follows:
 
         - Under **Trusted entity type**, select **AWS account**.
         - Under **An AWS account**, select **Another AWS account**, and then paste the TiDB Cloud account ID to the **Account ID** field.
-        - Under **Options**, click **Require external ID (Best practice when a third party will assume this role)**, and then paste the TiDB Cloud External ID to the **External ID** field. If the role is created without "Require external ID", once the configuration is done for one TiDB cluster in a project, all TiDB clusters in that project can use the same Role ARN to access your Amazon S3 bucket. If the role is created with the account ID and external ID, only the corresponding TiDB cluster can access the bucket.
+        - Under **Options**, click **Require external ID (To avoid [Confused Deputy Problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html))**, and then paste the TiDB Cloud External ID to the **External ID** field. If the role is created without "Require external ID", other users having your S3 bucket URI and IAM role ARN may be able to access your Amazon S3 bucket. If the role is created with the account ID and external ID, only the TiDB clusters running in your same project and same region can access the bucket.
 
     3. Click **Next** to open the policy list, choose the policy you just created, and then click **Next**.
     4. Under **Role details**, set a name for the role, and then click **Create role** in the lower-right corner. After the role is created, the list of roles is displayed.