Sharing write permissions to data across accounts (preview) - Amazon Redshift
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Sharing write permissions to data across accounts (preview)

This is prerelease documentation for the multi-data warehouse writes through data sharing feature for Amazon Redshift, which is available in public preview in the PREVIEW_2023 track. The documentation and the feature are both subject to change. We recommend that you use this feature only with test clusters, and not in production environments. For preview terms and conditions, see Beta Service Participation in Amazon Service Terms.

If you haven't created a datashare yet on the PREVIEW_2023 track, go to Sharing write access to data (Preview) to get started.

Associating shared data as the consumer data security administrator (preview)

This is prerelease documentation for the multi-data warehouse writes through data sharing feature for Amazon Redshift, which is available in public preview in the PREVIEW_2023 track. The documentation and the feature are both subject to change. We recommend that you use this feature only with test clusters, and not in production environments. For preview terms and conditions, see Beta Service Participation in Amazon Service Terms.

If you haven't created a datashare yet on the PREVIEW_2023 track, go to Sharing write access to data (Preview) to get started.

Prerequisites: The steps in this section are performed after the producer administrator grants specific actions on the shared database objects and, if the datashare is being shared with another account, the producer security administrator authorizes access.

The consumer security administrator determines the following:

  • Whether or not all namespaces in an account, namespaces in specific regions in the account, or specific namespaces have access to the datashare.

  • If namespaces have access to the datashare, whether or not those namespace have write permissions.

The consumer security administrator can associate the datashare via the console, the CLI, or via API. If by CLI, the administrator uses the following command:

associate-data-share-consumer --data-share-arn <value> --consumer-identifier <value> [--allow-writes | --no-allow-writes]

For more information about the command, see associate-data-share-consumer.

The consumer security administrator must explicitly set allow-writes to true when associating a datashare with a namespace, to allow use of INSERT and UPDATE commands. If they don't, the users can perform only read operations, such as SELECT, USAGE, or EXECUTE privileges.

You can change the association of a namespace for a datashare by calling associate-data-share-consumer again, with a different value. The old association is overwritten by the new association, so if you originally associate and set allow-writes, but associate and specify no-allow-writes, or simply do not specify a value, the consumer will have their write permissions revoked.

Authorizing datashares for writes as the producer security administrator (preview)

This is prerelease documentation for the multi-data warehouse writes through data sharing feature for Amazon Redshift, which is available in public preview in the PREVIEW_2023 track. The documentation and the feature are both subject to change. We recommend that you use this feature only with test clusters, and not in production environments. For preview terms and conditions, see Beta Service Participation in Amazon Service Terms.

If you haven't created a datashare yet on the PREVIEW_2023 track, go to Sharing write access to data (Preview) to get started.

Note

This only applies when the datashare is shared between accounts.

The producer security administrator determines the following:

  • Whether or not another account can have access to the datashare.

  • If an account has access to the datashare, whether or not that account has write permissions.

The following IAM permissions are required to authorize a datashare:

redshift:AuthorizeDataShare

You can authorize usage and writes using either a CLI call or with the API:

authorize-data-share --data-share-arn <value> --consumer-identifier <value> [--allow-writes | --no-allow-writes]

For more information about the command, see authorize-data-share.

The consumer identifier can be either:

  • A twelve digit Amazon account ID.

  • The namespace identifier ARN.

Note that write permissions aren’t granted at the authorizing step. Authorizing a datashare for writes just allows the account to have write permissions that were granted by the datashare administrator. If an administrator does not allow writes, the only permissions available to the specific consumer are SELECT, USAGE, and EXECUTE.

You can change the authorization of a datashare consumer by calling authorize-data-share again, but with a different value. The old authorization is overwritten by the new authorization. So if you originally authorize and allow writes, but re-authorize and specify no-allow-writes or simply do not specify a value, the consumer will have their write permissions revoked.