Restricting access to IAM roles
By default, IAM roles that are available to an Amazon Redshift cluster are available to all users on that cluster. You can choose to restrict IAM roles to specific Amazon Redshift database users on specific clusters or to specific regions.
To permit only specific database users to use an IAM role, take the following steps.
To identify specific database users with access to an IAM role
-
Identify the Amazon Resource Name (ARN) for the database users in your Amazon Redshift cluster. The ARN for a database user is in the format:
arn:aws:redshift:
.region
:account-id
:dbuser:cluster-name
/user-name
For Amazon Redshift Serverless use the following ARN format.
arn:aws:redshift:
region
:account-id
:dbuser:workgroup-name
/user-name
-
Open the IAM console
. -
In the navigation pane, choose Roles.
-
Choose the IAM role that you want to restrict to specific Amazon Redshift database users.
-
Choose the Trust Relationships tab, and then choose Edit Trust Relationship. A new IAM role that allows Amazon Redshift to access other Amazon services on your behalf has a trust relationship as follows:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "redshift.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
-
Add a condition to the
sts:AssumeRole
action section of the trust relationship that limits thests:ExternalId
field to values that you specify. Include an ARN for each database user that you want to grant access to the role. The external ID can be any unique string.For example, the following trust relationship specifies that only database users
user1
anduser2
on clustermy-cluster
in regionus-west-2
have permission to use this IAM role.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "redshift.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": [ "arn:aws:redshift:us-west-2:123456789012:dbuser:my-cluster/user1", "arn:aws:redshift:us-west-2:123456789012:dbuser:my-cluster/user2" ] } } }] }
-
Choose Update Trust Policy.