Authorizing datashares for writes as the producer security administrator (preview) - Amazon Redshift
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Authorizing datashares for writes as the producer security administrator (preview)

This is prerelease documentation for the multi-data warehouse writes through data sharing feature for Amazon Redshift, which is available in public preview in the PREVIEW_2023 track. The documentation and the feature are both subject to change. We recommend that you use this feature only with test clusters, and not in production environments. For preview terms and conditions, see Beta Service Participation in Amazon Service Terms.

If you haven't created a datashare yet on the preview track, go to Sharing both read and write data within an Amazon account or across accounts to get started.

Note

This only applies when the datashare is shared between accounts.

The producer security administrator determines the following:

  • Whether or not another account can have access to the datashare.

  • If an account has access to the datashare, whether or not that account has write permissions.

The following IAM permissions are required to authorize a datashare:

redshift:AuthorizeDataShare

You can authorize usage and writes using either a CLI call or with the API:

authorize-data-share --data-share-arn <value> --consumer-identifier <value> [--allow-writes | --no-allow-writes]

For more information about the command, see authorize-data-share.

The consumer identifier can be either:

  • A twelve digit Amazon account ID.

  • The namespace identifier ARN.

Note that write permissions aren’t granted at the authorizing step. Authorizing a datashare for writes just allows the account to have write permissions that were granted by the datashare administrator. If an administrator does not allow writes, the only permissions available to the specific consumer are SELECT, USAGE, and EXECUTE.

You can change the authorization of a datashare consumer by calling authorize-data-share again, but with a different value. The old authorization is overwritten by the new authorization. So if you originally authorize and allow writes, but re-authorize and specify no-allow-writes or simply do not specify a value, the consumer will have their write permissions revoked.