Working with Amazon Web Services Data Exchange datashares as a producer - Amazon Redshift
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Working with Amazon Web Services Data Exchange datashares as a producer

If you are a producer cluster administrator, follow these steps to manage Amazon Web Services Data Exchange datashares on the Amazon Redshift console:

  1. Create datashares in your cluster to share data on Amazon Web Services Data Exchange and grant access to Amazon Web Services Data Exchange to the datashares.

    Cluster superuser and database owners can create datashares. Each datashare is associated with a database during creation. Only objects from that database can be shared in that datashare. Multiple datashares can be created on the same database with the same or different granularity of objects. There is no limit on the number of datashares you can create on a cluster.

    You can also use the Amazon Redshift console to create datashares. For more information, see Creating datashares.

    Use the MANAGEDBY ADX option to implicitly grant access of the datashare to Amazon Web Services Data Exchange when running the CREATE DATASHARE statement. This indicates that Amazon Web Services Data Exchange manages this datashare. You can only use the MANAGEDBY ADX option when you create a new datashare. You can't use the ALTER DATASHARE statement to modify an existing datashare to add the MANAGEDBY ADX option. Once a datashare is created with the MANAGEDBY ADX option, only Amazon Web Services Data Exchange can access and manage the datashare.

    CREATE DATASHARE salesshare [[SET] MANAGEDBY [=] {ADX} ];
  2. Add objects to the datashares. Producer administrator continues to manage datashare objects that are available in an Amazon Web Services Data Exchange datashare.

    To add objects to a datashare, add the schema before adding objects. When you add a schema, Amazon Redshift doesn't add all the objects under it. You must add them explicitly. For more information, see ALTER DATASHARE.


    You can also add views to a datashare.

    CREATE VIEW public.sales_data_summary_view AS SELECT * FROM public.tickit_sales_redshift; ALTER DATASHARE salesshare ADD TABLE public.sales_data_summary_view;

    Use ALTER DATASHARE to share schemas, and tables, views, and functions in a given schema. Superusers, datashare owners, or users who have ALTER or ALL permissions on the datashare can alter the datashare to add objects to or remove objects from it. Users should have the permissions to add or remove objects from the datashare. Users should also be the owners of the objects or have SELECT, USAGE, or ALL permissions on the objects.

    Use the INCLUDENEW clause to add any new tables, views, or SQL user-defined functions (UDFs) created in a specified schema to the datashare. Only superusers can change this property for each datashare-schema pair.


    You can also use the Amazon Redshift console to add or remove objects from datashares. For more information, see Adding datashare objects to datashares, Removing datashare objects from datashares, and Editing Amazon Web Services Data Exchange datashares.

  3. To authorize access to the datashares for Amazon Web Services Data Exchange, do one of the following:

    • Explicitly authorize access to the datashare for Amazon Web Services Data Exchange by using the ADX keyword in the aws redshift authorize-data-share API. This allows Amazon Web Services Data Exchange to recognize the datashare in the service account and manage associating consumers to the datashare.

      aws redshift authorize-data-share --data-share-arn arn:aws:redshift:us-east-1:{PRODUCER_ACCOUNT}:datashare:{PRODUCER_CLUSTER_NAMESPACE}/salesshare --consumer-identifier ADX

      You can use a conditional key ConsumerIdentifier for the AuthorizeDataShare and DeauthorizeDataShare APIs to explicitly allow or deny Amazon Web Services Data Exchange to make calls to the two APIs in the IAM policy.

      { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Deny", "Action": [ "redshift:AuthorizeDataShare", "redshift:DeauthorizeDataShare" ], "Resource": "*", "Condition": { "StringEqualsIgnoreCase": { "redshift:ConsumerIdentifier": "ADX" } } } ] }
    • Use the Amazon Redshift console to authorize or remove authorization of Amazon Web Services Data Exchange datashares. For more information, see Authorizing or removing authorization from datashares.

    • Optionally, you can implicitly authorize access to the Amazon Web Services Data Exchange datashare when importing the datashare into an Amazon Web Services Data Exchange dataset.

    To remove authorization for access to the Amazon Web Services Data Exchange datashares, use the ADX keyword in the aws redshift deauthorize-data-share API operation. By doing this, you allow Amazon Web Services Data Exchange to recognize the datashare in the service account and manage removing association from the datashare.

    aws redshift deauthorize-data-share --data-share-arn arn:aws:redshift:us-east-1:{PRODUCER_ACCOUNT}:datashare:{PRODUCER_CLUSTER_NAMESPACE}/salesshare --consumer-identifier ADX
  4. List datashares created in the cluster and look into the contents of the datashare.

    The following example displays the information of a datashare named salesshare. For more information, see DESC DATASHARE and SHOW DATASHARES.

    DESC DATASHARE salesshare; producer_account | producer_namespace | share_type | share_name | object_type | object_name | include_new -------------------+--------------------------------------+------------+------------+-------------+--------------------------------+------------------- 123456789012 | 13b8833d-17c6-4f16-8fe4-1a018f5ed00d | OUTBOUND | salesshare | table | public.tickit_users_redshift | 123456789012 | 13b8833d-17c6-4f16-8fe4-1a018f5ed00d | OUTBOUND | salesshare | table | public.tickit_venue_redshift | 123456789012 | 13b8833d-17c6-4f16-8fe4-1a018f5ed00d | OUTBOUND | salesshare | table | public.tickit_category_redshift| 123456789012 | 13b8833d-17c6-4f16-8fe4-1a018f5ed00d | OUTBOUND | salesshare | table | public.tickit_date_redshift | 123456789012 | 13b8833d-17c6-4f16-8fe4-1a018f5ed00d | OUTBOUND | salesshare | table | public.tickit_event_redshift | 123456789012 | 13b8833d-17c6-4f16-8fe4-1a018f5ed00d | OUTBOUND | salesshare | table | public.tickit_listing_redshift | 123456789012 | 13b8833d-17c6-4f16-8fe4-1a018f5ed00d | OUTBOUND | salesshare | table | public.tickit_sales_redshift | 123456789012 | 13b8833d-17c6-4f16-8fe4-1a018f5ed00d | OUTBOUND | salesshare | schema | public | t 123456789012 | 13b8833d-17c6-4f16-8fe4-1a018f5ed00d | OUTBOUND | salesshare | view | public.sales_data_summary_view |

    The following example displays the outbound datashares in a producer cluster.


    The output looks similar to the following.

    share_name | share_owner | source_database | consumer_database | share_type | createdate | is_publicaccessible | share_acl | producer_account | producer_namespace -----------+--------------+-----------------+-------------------+------------+---------------------+----------------------+-----------+------------------+--------------------------------------- salesshare | 100 | dev | | OUTBOUND | 2020-12-09 02:27:08 | True | | 123456789012 | 13b8833d-17c6-4f16-8fe4-1a018f5ed00d

    For more information, see DESC DATASHARE and SHOW DATASHARES.

    You can also use SVV_DATASHARES, SVV_DATASHARE_CONSUMERS, and SVV_DATASHARE_OBJECTS to view the datashares, the objects within the datashare, and the datashare consumers.

  5. Drop datashares. We recommend that you don't delete an Amazon Web Services Data Exchange datashare shared to other Amazon Web Services accounts using the DROP DATASHARE statement. Those accounts will lose access to the datashare. This action is irreversible. This might breach data product offer terms in Amazon Web Services Data Exchange. If you want to delete an Amazon Web Services Data Exchange datashare, see DROP DATASHARE usage notes.

    The following example drops a datashare named salesshare.

    DROP DATASHARE salesshare; ERROR: Drop of ADX-managed datashare salesshare requires session variable datashare_break_glass_session_var to be set to value '620c871f890c49'

    To allow dropping an Amazon Web Services Data Exchange datashare, set the datashare_break_glass_session_var variable and run the DROP DATASHARE statement again. If you want to delete an Amazon Web Services Data Exchange datashare, see DROP DATASHARE usage notes.

    You can also use the Amazon Redshift console to delete datashares. For more information, see Deleting Amazon Web Services Data Exchange datashares created in your account.

  6. Use ALTER DATASHARE to remove objects from datashares at any point from the datashare. Use REVOKE USAGE ON to revoke permissions on the datashare to certain consumers. It revokes USAGE permissions on objects within a datashare and instantly stops access to all consumer clusters. Listing datashares and the metadata queries, such as listing databases and tables, doesn't return the shared objects after access is revoked.

    ALTER DATASHARE salesshare REMOVE TABLE public.tickit_sales_redshift;

    You can also use the Amazon Redshift console to edit datashares. For more information, see Editing Amazon Web Services Data Exchange datashares.

  7. Grant or revoke GRANT USAGE from Amazon Web Services Data Exchange datashares. You can't grant or revoke GRANT USAGE for Amazon Web Services Data Exchange datashare. The following example shows an error when the GRANT USAGE permission is granted to an Amazon Web Services account for a datashare that Amazon Web Services Data Exchange manages.

    GRANT USAGE ON DATASHARE salesshare TO ACCOUNT '012345678910'; ERROR: Permission denied to add/remove consumer to/from datashare salesshare. Datashare consumers are managed by ADX.

    For more information, see GRANT or REVOKE.

If you are a producer cluster administrator, follow these steps to create and publish a datashare product on the Amazon Web Services Data Exchange console: