Authorizing a datashare in Amazon Redshift - Amazon Redshift
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Authorizing a datashare in Amazon Redshift

With Amazon Redshift, you can control access to datashares by authorizing specified consumers. Datashares allow you to share live data across Amazon Redshift clusters in the same or different Amazon accounts, providing a seamless way to distribute and consume analytical data. This section provides step-by-step instructions for authorizing and revoking consumer access to your datashares in Amazon Redshift.

Note

If you are adding a namespace as a data consumer, you don't have to perform authorization. To authorize a datashare, there must be at least one data consumer added to the datashare.

Console

As a producer administrator on the console, you can choose which data consumers to authorize to access datashares or to remove authorization from. Authorized data consumers receive notifications to take actions on datashares. If you are adding a namespace as a data consumer, you don't have to perform authorization.

  1. Sign in to the Amazon Web Services Management Console and open the Amazon Redshift console at https://console.amazonaws.cn/redshiftv2/.

  2. On the navigation menu, choose Datashares. From here you can see a list called Datashares consumers. Choose one or more consumer clusters that you want to authorize. Then choose Authorize.

  3. The Authorize account dialog appears. You can choose among a couple authorization types.

    • Read-only on [cluster name or workgroup name] – This means that no write permissions are available on the consumer, even if the datashare creator granted write permissions.

    • Read and write on [cluster name or workgroup name] – This means that all permissions granted by the creator, including write permissions, are available on the consumer.

  4. Choose Save.

You can also authorize Amazon Web Services Data Exchange as a consumer.

  1. If you chose Publish to Amazon Glue Data Catalog when creating the datashare, you can only grant authorization of the datashare to a Lake Formation account.

    For Amazon Web Services Data Exchange datashare, you can only authorize one datashare at a time.

    When you authorize an Amazon Web Services Data Exchange datashare, you are sharing the datashare with the Amazon Web Services Data Exchange service and allowing Amazon Web Services Data Exchange to manage access to the datashare on your behalf. Amazon Web Services Data Exchange allows access to consumers by adding consumer accounts as data consumers to the Amazon Web Services Data Exchange datashare when they subscribe to the products. Amazon Web Services Data Exchange doesn't have read access to the datashare.

  2. Choose Save.

After data consumers are authorized, they can access datashare objects and create a consumer database to query the data.

API

The producer security administrator determines the following:

  • Whether or not another account can have access to the datashare.

  • If an account has access to the datashare, whether or not that account has write permissions.

The following IAM permissions are required to authorize a datashare:

redshift:AuthorizeDataShare

You can authorize usage and writes using either a CLI call or with the API:

authorize-data-share --data-share-arn <value> --consumer-identifier <value> [--allow-writes | --no-allow-writes]

For more information about the command, see authorize-data-share.

The consumer identifier can be either:

  • A twelve digit Amazon account ID.

  • The namespace identifier ARN.

Note

Write permissions aren’t granted at the authorizing step. Authorizing a datashare for writes just allows the account to have write permissions that were granted by the datashare administrator. If an administrator does not allow writes, the only permissions available to the specific consumer are SELECT, USAGE, and EXECUTE.

You can change the authorization of a datashare consumer by calling authorize-data-share again, but with a different value. The old authorization is overwritten by the new authorization. So if you originally authorize and allow writes, but re-authorize and specify no-allow-writes or simply do not specify a value, the consumer will have their write permissions revoked.