Associating shared data as the consumer data security administrator (preview) - Amazon Redshift
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Associating shared data as the consumer data security administrator (preview)

This is prerelease documentation for the multi-data warehouse writes through data sharing feature for Amazon Redshift, which is available in public preview in the PREVIEW_2023 track. The documentation and the feature are both subject to change. We recommend that you use this feature only with test clusters, and not in production environments. For preview terms and conditions, see Beta Service Participation in Amazon Service Terms.

If you haven't created a datashare yet on the preview track, go to Sharing both read and write data within an Amazon account or across accounts to get started.

Prerequisites: The steps in this section are performed after the producer administrator grants specific actions on the shared database objects and, if the datashare is being shared with another account, the producer security administrator authorizes access.

The consumer security administrator determines the following:

  • Whether or not all namespaces in an account, namespaces in specific regions in the account, or specific namespaces have access to the datashare.

  • If namespaces have access to the datashare, whether or not those namespace have write permissions.

The consumer security administrator can associate the datashare via the console, the CLI, or via API. If by CLI, the administrator uses the following command:

associate-data-share-consumer --data-share-arn <value> --consumer-identifier <value> [--allow-writes | --no-allow-writes]

For more information about the command, see associate-data-share-consumer.

The consumer security administrator must explicitly set allow-writes to true when associating a datashare with a namespace, to allow use of INSERT and UPDATE commands. If they don't, the users can perform only read operations, such as SELECT, USAGE, or EXECUTE privileges.

You can change the association of a namespace for a datashare by calling associate-data-share-consumer again, with a different value. The old association is overwritten by the new association, so if you originally associate and set allow-writes, but associate and specify no-allow-writes, or simply do not specify a value, the consumer will have their write permissions revoked.