Configuring IAM permissions
Amazon Redshift provides the AmazonRedshiftDataFullAccess
managed policy. This
policy provides full access to Amazon Redshift Data API operations. This policy also allows
scoped access to specific Amazon Redshift, Amazon Secrets Manager, and IAM API operations needed to
authenticate and access an Amazon Redshift cluster or Redshift Serverless workgroup.
You can also create your own IAM policy that allows access to specific
resources. To create your policy, use the AmazonRedshiftDataFullAccess
policy as your starting template. After you create your policy, add it to each user
that requires access to the Data API.
Consider the following requirements of the IAM policy associated with the user:
-
If you use Amazon Secrets Manager to authenticate, confirm the policy allows use of the
secretsmanager:GetSecretValue
action to retrieve the secret tagged with the keyRedshiftDataFullAccess
. -
If you use temporary credentials to authenticate to a cluster, confirm the policy allows the use of the
redshift:GetClusterCredentials
action to the database user nameredshift_data_api_user
for any database in the cluster. This user name must have already been created in your database. -
If you use temporary credentials to authenticate to a serverless workgroup, confirm the policy allows the use of the
redshift-serverless:GetCredentials
action to retrieve the workgroup tagged with the keyRedshiftDataFullAccess
. The database user is mapped 1:1 to the source Amazon Identity and Access Management (IAM) identity. For example, the user sample_user is mapped to database userIAM:sample_user
, and IAM role sample_role is mapped toIAMR:sample_role
. For more information about IAM identities, see IAM Identities (users, user groups, and roles) in the IAM User Guide. -
The IAM action
redshift-data:GetStatementResult
allows access to bothGetStatementResult
andGetStatementResultV2
API operations.
The following links provide more information about Amazon Identity and Access Management in the IAM User Guide.
-
For information about creating an IAM roles, see Creating IAM roles.
-
For information about creating an IAM policy, see Creating IAM policies.
-
For information about adding an IAM policy to a user, see Adding and removing IAM identity permissions.
Run a query on a cluster that is owned by another account
To run a query on a cluster that is owned by another account,
the owning account must provide an IAM role that the Data API
can assume in the calling account. For example, suppose Account B owns a cluster that Account A needs to access.
Account B can attach the Amazon managed policy AmazonRedshiftDataFullAccess
to Account B's IAM role.
Then Account B trusts Account A using a trust policy such as the following:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::
accountID-of-account-A
:role/someRoleA" ] }, "Action": "sts:AssumeRole" } ] }
Finally, the Account A IAM role needs to be able to assume the Account B IAM role.
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::accountID-of-account-B:role/someRoleB" } }
Specify an IAM role that restricts resources to Redshift Serverless workgroups and Amazon Redshift clusters in an Amazon Web Services account
You can specify resource ARNs in your identity-based policy to control access to Redshift Serverless workgroups and Amazon Redshift clusters in an Amazon Web Services account. This example shows how you might create a policy that allows access to the Data API for only the workgroup and clusters in the specified Amazon Web Services account.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "redshift-data:CancelStatement", "redshift-data:DescribeStatement", "redshift-data:GetStatementResult", "redshift-data:ListStatements" ], "Resource": "*" }, { "Effect": "Allow", "Action": "redshift-data:*", "Resource": [ "arn:
arn-partition
:redshift-serverless:*:Amazon Web Services account
:workgroup/*", "arn:arn-partition
:redshift:*:Amazon Web Services account
:cluster:*" ] } ] }
Configure an IAM policy that restricts access to SQL statement information to only the statement owner
By default, Amazon Redshift Data API treats the IAM role used when calling
ExecuteStatement
and BatchExecuteStatement
as the
owner of the SQL statement. Anyone who is allowed to assume the role is able to
access information about the SQL statement, including its results. To restrict
SQL statement information access to an IAM role session with a particular
owner, add condition redshift-data:statement-owner-iam-userid:
"${aws:userid}"
. The following IAM policy restricts access.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "redshift-data:CancelStatement", "redshift-data:DescribeStatement", "redshift-data:GetStatementResult", "redshift-data:ListStatements" ], "Resource": "*", "Condition": { "StringEquals": { "redshift-data:statement-owner-iam-userid": "${aws:userid}" } } } ] }
You can use the condition statement-owner-iam-userid
with
CancelStatement
, DescribeStatement
,
GetStatementResult
, and ListStatements
. For more
information, see Actions defined by Amazon Redshift Data API.
Configure an IAM policy that restricts access to SQL results to only the session owner
By default, Amazon Redshift Data API treats the IAM role used when calling
ExecuteStatement
and BatchExecuteStatement
as the
owner of the database session that runs the SQL statement. Anyone who is allowed
to assume the role is able to submit queries to the database session. To
restrict session access to an IAM role session with a particular owner, add
condition redshift-data:session-owner-iam-userid: "${aws:userid}"
.
The following IAM policy restricts access.
The following IAM policy allows only the session owner to get statement
results. The condition session-owner-iam-userid
is used to limit
resource access to the specified userid
.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "redshift-data:ExecuteStatement", "redshift-data:BatchExecuteStatement" ], "Resource": "*", "Condition": { "StringEquals": { "redshift-data:session-owner-iam-userid": "${aws:userid}" } } } ] }
You can use the condition session-owner-iam-userid
with
ExecuteStatement
and BatchExecuteStatement
. For
more information, see Actions defined by Amazon Redshift Data API.