Authorizing Amazon Redshift to access Amazon services on your behalf
Some Amazon Redshift features require Amazon Redshift to access other Amazon services on your behalf. For example, the COPY and UNLOAD commands can load or unload data into your Amazon Redshift cluster using an Amazon S3 bucket. The CREATE EXTERNAL FUNCTION command can invoke an Amazon Lambda function using a scalar Lambda user-defined function (UDF). Amazon Redshift Spectrum can use a data catalog in Amazon Athena or Amazon Glue. For your Amazon Redshift clusters to act on your behalf, you supply security credentials to your clusters. The preferred method to supply security credentials is to specify an Amazon Identity and Access Management (IAM) role. For COPY and UNLOAD, you can provide temporary credentials.
Users need programmatic access if they want to interact with Amazon outside of the Amazon Web Services Management Console. The Amazon APIs and the Amazon Command Line Interface require access keys. Whenever possible, create temporary credentials that consist of an access key ID, a secret access key, and a security token that indicates when the credentials expire.
To grant users programmatic access, choose one of the following options.
Which user needs programmatic access? | To | By |
---|---|---|
IAM | Use short-term credentials to sign programmatic requests to the Amazon CLI or Amazon APIs (directly or by using the Amazon SDKs). | Following the instructions in Using temporary credentials with Amazon resources in the IAM User Guide. |
IAM | (Not recommended) Use long-term credentials to sign programmatic requests to the Amazon CLI or Amazon APIs (directly or by using the Amazon SDKs). |
Following the instructions in Managing access keys for IAM users in the IAM User Guide. |
Following, find out how to create an IAM role with the appropriate permissions to access other Amazon services. You also need to associate the role with your cluster and specify the Amazon Resource Name (ARN) of the role when you run the Amazon Redshift command. For more information, see Authorizing COPY, UNLOAD, CREATE EXTERNAL FUNCTION, and CREATE EXTERNAL SCHEMA operations using IAM roles.
In addition, a superuser can grant the ASSUMEROLE privilege to specific users and groups to provide access to a role for COPY and UNLOAD operations. For information, see GRANT in the Amazon Redshift Database Developer Guide.
Creating an IAM role to allow your Amazon Redshift cluster to access Amazon services
Creating an IAM role with permissions
To create an IAM role to permit your Amazon Redshift cluster to communicate with other Amazon services on your behalf, take the following steps. The values used in this section are examples, you can choose values based on your needs.
To create an IAM role to allow Amazon Redshift to access Amazon services
-
Open the IAM console
. -
In the navigation pane, choose Roles.
-
Choose Create role.
-
Choose Amazon service, and then choose Redshift.
-
Under Select your use case, choose Redshift - Customizable and then choose Next: Permissions. The Attach permissions policy page appears.
-
For access to Amazon S3 using COPY, as an example, you can use
AmazonS3ReadOnlyAccess
and append. For access to Amazon S3 using COPY or UNLOAD, we suggest that you can create managed policies that restrict access to the desired bucket and prefix accordingly. For both read and write operations, we recommend enforcing the least privileges and restricting to only the Amazon S3 buckets and key prefixes that Amazon Redshift requires.For access to invoke Lambda functions for the CREATE EXTERNAL FUNCTION command, add
AWSLambdaRole
.For Redshift Spectrum, in addition to Amazon S3 access, add
AWSGlueConsoleFullAccess
orAmazonAthenaFullAccess
.Choose Next: Tags.
-
The Add tags page appears. You can optionally add tags. Choose Next: Review.
-
For Role name, type a name for your role, for example
RedshiftCopyUnload
. Choose Create role. -
The new role is available to all users on clusters that use the role. To restrict access to only specific users on specific clusters, or to clusters in specific regions, edit the trust relationship for the role. For more information, see Restricting access to IAM roles.
-
Associate the role with your cluster. You can associate an IAM role with a cluster when you create the cluster, or you add the role to an existing cluster. For more information, see Associating IAM roles with clusters.
Note
To restrict access to specific data, use an IAM role that grants the least privileges required.