Amazon Redshift will no longer support the creation of new Python UDFs starting Patch 198. Existing Python UDFs will continue to function until June 30, 2026. For more information, see the [ blog post ](https://amazonaws-china.com/blogs/big-data/amazon-redshift-python-user-defined-functions-will-reach-end-of-support-after-june-30-2026/).
# Using identity-based policies (IAM policies) for Amazon Redshift
This topic provides examples of identity-based policies in which an account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles).
**Important**
We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your Amazon Redshift resources. For more information, see [Overview of managing access permissions to your Amazon Redshift resources](redshift-iam-access-control-overview.md).
The following shows an example of a permissions policy. The policy allows a user to create, delete, modify, and reboot all clusters, and then denies permission to delete or modify any clusters where the cluster identifier starts with `production` in Amazon Web Services Region `us-west-2` and Amazon Web Services account `123456789012`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"AllowClusterManagement",
"Action": [
"redshift:CreateCluster",
"redshift:DeleteCluster",
"redshift:ModifyCluster",
"redshift:RebootCluster"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid":"DenyDeleteModifyProtected",
"Action": [
"redshift:DeleteCluster",
"redshift:ModifyCluster"
],
"Resource": [
"arn:aws-cn:redshift:us-west-2:123456789012:cluster:production*"
],
"Effect": "Deny"
}
]
}
```
------
The policy has two statements:
+ The first statement grants permissions for a user to a user to create, delete, modify, and reboot clusters. The statement specifies a wildcard character (\$1) as the `Resource` value so that the policy applies to all Amazon Redshift resources owned by the root Amazon account.
+ The second statement denies permission to delete or modify a cluster. The statement specifies a cluster Amazon Resource Name (ARN) for the `Resource` value that includes a wildcard character (\$1). As a result, this statement applies to all Amazon Redshift clusters owned by the root Amazon account where the cluster identifier begins with `production`.
## Amazon managed policies for Amazon Redshift
Amazon addresses many common use cases by providing standalone IAM policies that are created and administered by Amazon. Managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information, see [Amazon managed policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
You can also create your own custom IAM policies to allow permissions for Amazon Redshift API operations and resources. You can attach these custom policies to the IAM roles or groups that require those permissions.
The following sections describe Amazon managed policies, which you can attach to users in your account, and are specific to Amazon Redshift.
## Amazon Redshift updates to Amazon managed policies
View details about updates to Amazon managed policies for Amazon Redshift since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon Redshift Document history page.
| Change | Description | Date |
| --- | --- | --- |
| [AmazonRedshiftFederatedAuthorization](#redshift-policy-managed-policies-federated-authorization) – New policy | Amazon Redshift added a new ease-of-use policy policy for running queries with Amazon Redshift Federated Authorization. | November 21, 2025 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | Permission for the action `lakeformation:GetDataAccess` is added to the managed policy. Adding it grants permission to get federated catalog information from Amazon Lake Formation. Additional conditions for the actions `glue:GetCatalog` and `glue:GetCatalogs` are added to the managed policy. | March 13, 2025 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | Permission for the actions `glue:GetCatalog` and `glue:GetCatalogs` are added to the managed policy. Adding them grants permission to get catalog information from Amazon Glue. | December 3, 2024 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | Permission for the action `servicequotas:GetServiceQuota` is added to the managed policy. This gives permission to access quotas or limits. | March 8, 2024 |
| [AmazonRedshiftQueryEditorV2FullAccess](#redshift-policy-managed-policies-query-editor-V2) – Update to an existing policy | Permission for the actions `redshift-serverless:ListNamespaces` and `redshift-serverless:ListWorkgroups` are added to the managed policy. Adding them grants permission to list serverless namespaces and serverless workgroups in the Amazon Redshift data warehouse. | February 21, 2024 |
| [AmazonRedshiftQueryEditorV2NoSharing](#redshift-policy-managed-policies-query-editor-V2-no-sharing) – Update to an existing policy | Permission for the actions `redshift-serverless:ListNamespaces` and `redshift-serverless:ListWorkgroups` are added to the managed policy. Adding them grants permission to list serverless namespaces and serverless workgroups in the Amazon Redshift data warehouse. | February 21, 2024 |
| [AmazonRedshiftQueryEditorV2ReadSharing](#redshift-policy-managed-policies-query-editor-V2-read-sharing) – Update to an existing policy | Permission for the actions `redshift-serverless:ListNamespaces` and `redshift-serverless:ListWorkgroups` are added to the managed policy. Adding them grants permission to list serverless namespaces and serverless workgroups in the Amazon Redshift data warehouse. | February 21, 2024 |
| [AmazonRedshiftQueryEditorV2ReadWriteSharing](#redshift-policy-managed-policies-query-editor-V2-write-sharing) – Update to an existing policy | Permission for the actions `redshift-serverless:ListNamespaces` and `redshift-serverless:ListWorkgroups` are added to the managed policy. Adding them grants permission to list serverless namespaces and serverless workgroups in the Amazon Redshift data warehouse. | February 21, 2024 |
| [AmazonRedshiftReadOnlyAccess](#redshift-policy-managed-policies-read-only) – Update to an existing policy | Permission for the action `redshift:ListRecommendations` is added to the managed policy. This grants permission to list Amazon Redshift Advisor recommendations. | February 7, 2024 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | Permission for the actions `ec2:AssignIpv6Addresses` and `ec2:UnassignIpv6Addresses` are added to the managed policy. Adding them grants permission to assign and unassign IP addresses. | October 31, 2023 |
| [AmazonRedshiftQueryEditorV2NoSharing](#redshift-policy-managed-policies-query-editor-V2-no-sharing) – Update to an existing policy | Permission for the actions `sqlworkbench:GetAutocompletionMetadata` and `sqlworkbench:GetAutocompletionResource` are added to the managed policy. Adding them grants permission to generate and retrieve database information for auto-completion of SQL while editing queries. | August 16, 2023 |
| [AmazonRedshiftQueryEditorV2ReadSharing](#redshift-policy-managed-policies-query-editor-V2-read-sharing) – Update to an existing policy | Permission for the actions `sqlworkbench:GetAutocompletionMetadata` and `sqlworkbench:GetAutocompletionResource` are added to the managed policy. Adding them grants permission to generate and retrieve database information for auto-completion of SQL while editing queries. | August 16, 2023 |
| [AmazonRedshiftQueryEditorV2ReadWriteSharing](#redshift-policy-managed-policies-query-editor-V2-write-sharing) – Update to an existing policy | Permission for the actions `sqlworkbench:GetAutocompletionMetadata` and `sqlworkbench:GetAutocompletionResource` are added to the managed policy. Adding them grants permission to generate and retrieve database information for auto-completion of SQL while editing queries. | August 16, 2023 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | Permissions for actions on Amazon Secrets Manager to create and manage secrets are added to the managed policy. Added permissions are the following: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/redshift/latest/mgmt/redshift-iam-access-control-identity-based.html) | August 14, 2023 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | Permissions for actions on Amazon EC2 to create and manage security groups and routing rules are removed from the managed policy. These permissions pertained to creating subnets and VPCs. Removed permissions are the following: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/redshift/latest/mgmt/redshift-iam-access-control-identity-based.html) These were associated with the Purpose:RedshiftMigrateToVpc resource tag. The tag limited the scope of permissions to tasks for Amazon EC2 Classic to Amazon EC2 VPC migration. For more information about resource tags, see [Controlling access to Amazon resources using tags](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_tags.html). | May 08, 2023 |
| [AmazonRedshiftDataFullAccess](#redshift-policy-managed-policies-data-full-access) – Update to an existing policy | Permission for the action `redshift:GetClusterCredentialsWithIAM` is added to the managed policy. Adding it grants permission to get enhanced temporary credentials to access an Amazon Redshift database by the specified Amazon Web Services account. | April 7, 2023 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | Permissions for the actions on Amazon EC2 for creation and management of security group rules are added to the managed policy. These security groups and rules ares specifically associated with the Amazon Redshift `aws:RequestTag/Redshift` resource tag. This limits the scope of the permissions to specific Amazon Redshift resources. | April 06, 2023 |
| [AmazonRedshiftQueryEditorV2NoSharing](#redshift-policy-managed-policies-query-editor-V2-no-sharing) – Update to an existing policy | Permission for the action `sqlworkbench:GetSchemaInference` is added to the managed policy. Adding it grants permission to get the columns and data types inferred from a file. | March 21, 2023 |
| [AmazonRedshiftQueryEditorV2ReadSharing](#redshift-policy-managed-policies-query-editor-V2-read-sharing) – Update to an existing policy | Permission for the action `sqlworkbench:GetSchemaInference` is added to the managed policy. Adding it grants permission to get the columns and data types inferred from a file. | March 21, 2023 |
| [AmazonRedshiftQueryEditorV2ReadWriteSharing](#redshift-policy-managed-policies-query-editor-V2-write-sharing) – Update to an existing policy | Permission for the action `sqlworkbench:GetSchemaInference` is added to the managed policy. Adding it grants permission to get the columns and data types inferred from a file. | March 21, 2023 |
| [AmazonRedshiftQueryEditorV2NoSharing](#redshift-policy-managed-policies-query-editor-V2-no-sharing) – Update to an existing policy | Permission for the action `sqlworkbench:AssociateNotebookWithTab` is added to the managed policy. Adding it grants permission to create and update tabs linked to a user's own notebook. | February 2, 2023 |
| [AmazonRedshiftQueryEditorV2ReadSharing](#redshift-policy-managed-policies-query-editor-V2-read-sharing) – Update to an existing policy | Permission for the action `sqlworkbench:AssociateNotebookWithTab` is added to the managed policy. Adding it grants permission to create and update tabs linked to a user's own notebook or to a notebook that is shared with them. | February 2, 2023 |
| [AmazonRedshiftQueryEditorV2ReadWriteSharing](#redshift-policy-managed-policies-query-editor-V2-write-sharing) – Update to an existing policy | Permission for the action `sqlworkbench:AssociateNotebookWithTab` is added to the managed policy. Adding it grants permission to create and update tabs linked to a user's own notebook or to a notebook that is shared with them. | February 2, 2023 |
| [AmazonRedshiftQueryEditorV2NoSharing](#redshift-policy-managed-policies-query-editor-V2-no-sharing) – Update to an existing policy | To grant permission to use notebooks, Amazon Redshift added permission for the following actions: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/redshift/latest/mgmt/redshift-iam-access-control-identity-based.html) | October 17, 2022 |
| [AmazonRedshiftQueryEditorV2ReadSharing](#redshift-policy-managed-policies-query-editor-V2-read-sharing) – Update to an existing policy | To grant permission to use notebooks, Amazon Redshift added permission for the following actions: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/redshift/latest/mgmt/redshift-iam-access-control-identity-based.html) | October 17, 2022 |
| [AmazonRedshiftQueryEditorV2ReadWriteSharing](#redshift-policy-managed-policies-query-editor-V2-write-sharing) – Update to an existing policy | To grant permission to use notebooks, Amazon Redshift added permission for the following actions: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/redshift/latest/mgmt/redshift-iam-access-control-identity-based.html) | October 17, 2022 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | Amazon Redshift added the namespace `Amazon/Redshift` to allow publishing metrics to CloudWatch. | September 7, 2022 |
| [AmazonRedshiftQueryEditorV2NoSharing](#redshift-policy-managed-policies-query-editor-V2-no-sharing) – Update to an existing policy | Amazon Redshift added permission to the actions `sqlworkbench:ListQueryExecutionHistory` and `sqlworkbench:GetQueryExecutionHistory`. This grants permission to see query history. | August 30, 2022 |
| [AmazonRedshiftQueryEditorV2ReadSharing](#redshift-policy-managed-policies-query-editor-V2-read-sharing) – Update to an existing policy | Amazon Redshift added permission to the actions `sqlworkbench:ListQueryExecutionHistory` and `sqlworkbench:GetQueryExecutionHistory`. This grants permission to see query history. | August 30, 2022 |
| [AmazonRedshiftQueryEditorV2ReadWriteSharing](#redshift-policy-managed-policies-query-editor-V2-write-sharing) – Update to an existing policy | Amazon Redshift added permission to the actions `sqlworkbench:ListQueryExecutionHistory` and `sqlworkbench:GetQueryExecutionHistory`. This grants permission to see query history. | August 30, 2022 |
| [AmazonRedshiftFullAccess](#redshift-policy-managed-policies-full-access) – Update to an existing policy | Permissions for Amazon Redshift Serverless are added to the existing AmazonRedshiftFullAccess managed policy. | July 22, 2022 |
| [AmazonRedshiftDataFullAccess](#redshift-policy-managed-policies-data-full-access) – Update to an existing policy | Amazon Redshift updated redshift-serverless:GetCredentials default scoping condition of tag aws:ResourceTag/RedshiftDataFullAccess permission from StringEquals to StringLike to grant access to resources tagged with tag key RedshiftDataFullAccess and any tag value. | July 11, 2022 |
| [AmazonRedshiftDataFullAccess](#redshift-policy-managed-policies-data-full-access) – Update to an existing policy | Amazon Redshift added new permissions to allow redshift-serverless:GetCredentials for temporary credentials to Amazon Redshift Serverless. | July 8, 2022 |
| [AmazonRedshiftQueryEditorV2NoSharing](#redshift-policy-managed-policies-query-editor-V2-no-sharing) – Update to an existing policy | Amazon Redshift added permission to the action `sqlworkbench:GetAccountSettings`. This grants permission to get account settings. | June 15, 2022 |
| [AmazonRedshiftQueryEditorV2ReadSharing](#redshift-policy-managed-policies-query-editor-V2-read-sharing) – Update to an existing policy | Amazon Redshift added permission to the action `sqlworkbench:GetAccountSettings`. This grants permission to get account settings. | June 15, 2022 |
| [AmazonRedshiftQueryEditorV2ReadWriteSharing](#redshift-policy-managed-policies-query-editor-V2-write-sharing) – Update to an existing policy | Amazon Redshift added permission to the action `sqlworkbench:GetAccountSettings`. This grants permission to get account settings. | June 15, 2022 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | To enable public access to new Amazon Redshift Serverless endpoints, Amazon Redshift allocates and associates Elastic IP addresses to the VPC endpoint's Elastic network interface in the customer account. It does this via permissions provided through the service linked role. To enable this use case, actions to allocate and release an Elastic IP address are added to the Amazon Redshift Serverless service linked role. | May 26, 2022 |
| [AmazonRedshiftQueryEditorV2FullAccess](#redshift-policy-managed-policies-query-editor-V2) – Update to an existing policy | Permissions to the action `sqlworkbench:ListTaggedResources`. It is scoped specifically to Amazon Redshift query editor v2 resources. This policy update gives the right to call `tag:GetResources` only through query editor v2. | February 22, 2022 |
| [AmazonRedshiftQueryEditorV2NoSharing](#redshift-policy-managed-policies-query-editor-V2-no-sharing) – Update to an existing policy | Permissions to the action `sqlworkbench:ListTaggedResources`. It is scoped specifically to Amazon Redshift query editor v2 resources. This policy update gives the right to call `tag:GetResources` only through query editor v2. | February 22, 2022 |
| [AmazonRedshiftQueryEditorV2ReadSharing](#redshift-policy-managed-policies-query-editor-V2-read-sharing) – Update to an existing policy | Permissions to the action `sqlworkbench:ListTaggedResources`. It is scoped specifically to Amazon Redshift query editor v2 resources. This policy update gives the right to call `tag:GetResources` only through query editor v2. | February 22, 2022 |
| [AmazonRedshiftQueryEditorV2ReadWriteSharing](#redshift-policy-managed-policies-query-editor-V2-write-sharing) – Update to an existing policy | Permissions to the action `sqlworkbench:ListTaggedResources`. It is scoped specifically to Amazon Redshift query editor v2 resources. This policy update gives the right to call `tag:GetResources` only through query editor v2. | February 22, 2022 |
| [AmazonRedshiftQueryEditorV2ReadSharing](#redshift-policy-managed-policies-query-editor-V2-read-sharing) – Update to an existing policy | Permission for the action `sqlworkbench:AssociateQueryWithTab` is added to the managed policy. Adding it allows customers to create editor tabs linked to a query that is shared with them. | February 22, 2022 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | Amazon Redshift added permissions for new actions to allow management of Amazon Redshift network and VPC resources. | November 22, 2021 |
| [AmazonRedshiftAllCommandsFullAccess](#redshift-policy-managed-policies-service-linked-role-commands) – New policy | Amazon Redshift added a new policy to allow using the IAM role created from the Amazon Redshift console and set it as default for the cluster to run the COPY from Amazon S3, UNLOAD, CREATE EXTERNAL SCHEMA, CREATE EXTERNAL FUNCTION, CREATE MODEL, or CREATE LIBRARY commands. | November 18, 2021 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | Amazon Redshift added permissions for new actions to allow management of Amazon Redshift CloudWatch log groups and log streams, including audit-log export. | November 15, 2021 |
| [AmazonRedshiftFullAccess](#redshift-policy-managed-policies-full-access) – Update to an existing policy | Amazon Redshift added new permissions to allow model explainability, DynamoDB, Redshift Spectrum, and Amazon RDS federation. | October 07, 2021 |
| [AmazonRedshiftQueryEditorV2FullAccess](#redshift-policy-managed-policies-query-editor-V2) – New policy | Amazon Redshift added a new policy to allow full access to Amazon Redshift query editor v2. | September 24, 2021 |
| [AmazonRedshiftQueryEditorV2NoSharing](#redshift-policy-managed-policies-query-editor-V2-no-sharing) – New policy | Amazon Redshift added a new policy to allow using Amazon Redshift query editor v2 without sharing resources. | September 24, 2021 |
| [AmazonRedshiftQueryEditorV2ReadSharing](#redshift-policy-managed-policies-query-editor-V2-read-sharing) – New policy | Amazon Redshift added a new policy to allow read sharing within Amazon Redshift query editor v2. | September 24, 2021 |
| [AmazonRedshiftQueryEditorV2ReadWriteSharing](#redshift-policy-managed-policies-query-editor-V2-write-sharing) – New policy | Amazon Redshift added a new policy to allow read and update sharing within Amazon Redshift query editor v2. | September 24, 2021 |
| [AmazonRedshiftFullAccess](#redshift-policy-managed-policies-full-access) – Update to an existing policy | Amazon Redshift added new permissions to allow `sagemaker:*Job*`. | August 18, 2021 |
| [AmazonRedshiftDataFullAccess](#redshift-policy-managed-policies-data-full-access) – Update to an existing policy | Amazon Redshift added new permissions to allow `AuthorizeDataShare`. | August 12, 2021 |
| [AmazonRedshiftDataFullAccess](#redshift-policy-managed-policies-data-full-access) – Update to an existing policy | Amazon Redshift added new permissions to allow `BatchExecuteStatement`. | July 27, 2021 |
| Amazon Redshift started tracking changes | Amazon Redshift started tracking changes for its Amazon managed policies. | July 27, 2021 |
## AmazonRedshiftReadOnlyAccess
Grants read-only access to all Amazon Redshift resources for an Amazon account.
You can find the [AmazonRedshiftReadOnlyAccess](https://console.amazonaws.cn/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftReadOnlyAccess) policy on the IAM console and [AmazonRedshiftReadOnlyAccess](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonRedshiftReadOnlyAccess.html) in the *Amazon Managed Policy Reference Guide*.
## AmazonRedshiftFullAccess
Grants full access to all Amazon Redshift resources for an Amazon account. Additionally, this policy grants full access to all Amazon Redshift Serverless resources.
You can find the [AmazonRedshiftFullAccess](https://console.amazonaws.cn/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftFullAccess) policy on the IAM console and [AmazonRedshiftFullAccess](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonRedshiftFullAccess.html) in the *Amazon Managed Policy Reference Guide*.
## AmazonRedshiftQueryEditor
Grants full access to the query editor on the Amazon Redshift console.
You can find the [AmazonRedshiftQueryEditor](https://console.amazonaws.cn/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftQueryEditor) policy on the IAM console and [AmazonRedshiftQueryEditor](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonRedshiftQueryEditor.html) in the *Amazon Managed Policy Reference Guide*.
## AmazonRedshiftDataFullAccess
Grants full access to the Amazon Redshift Data API operations and resources for an Amazon account.
You can find the [AmazonRedshiftDataFullAccess](https://console.amazonaws.cn/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftDataFullAccess) policy on the IAM console and [AmazonRedshiftDataFullAccess](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonRedshiftDataFullAccess.html) in the *Amazon Managed Policy Reference Guide*.
## AmazonRedshiftQueryEditorV2FullAccess
Grants full access to the Amazon Redshift query editor v2 operations and resources. This policy also grants access to other required services.
You can find the [AmazonRedshiftQueryEditorV2FullAccess](https://console.amazonaws.cn/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftQueryEditorV2FullAccess) policy on the IAM console and [AmazonRedshiftQueryEditorV2FullAccess](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonRedshiftQueryEditorV2FullAccess.html) in the *Amazon Managed Policy Reference Guide*.
## AmazonRedshiftQueryEditorV2NoSharing
Grants the ability to work with Amazon Redshift query editor v2 without sharing resources. This policy also grants access to other required services. The principal using this policy can't tag its resources (such as queries) to share them with other principals in the same Amazon Web Services account.
You can find the [AmazonRedshiftQueryEditorV2NoSharing](https://console.amazonaws.cn/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftQueryEditorV2NoSharing) policy on the IAM console and [AmazonRedshiftQueryEditorV2NoSharing](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonRedshiftQueryEditorV2NoSharing.html) in the *Amazon Managed Policy Reference Guide*.
## AmazonRedshiftQueryEditorV2ReadSharing
Grants the ability to work with Amazon Redshift query editor v2 with limited sharing of resources. This policy also grants access to other required services. The principal using this policy can tag its resources (such as queries) to share them with other principals in the same Amazon Web Services account. The granted principal can read the resources shared with its team but can't update them.
You can find the [AmazonRedshiftQueryEditorV2ReadSharing](https://console.amazonaws.cn/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftQueryEditorV2ReadSharing) policy on the IAM console and [AmazonRedshiftQueryEditorV2ReadSharing](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonRedshiftQueryEditorV2ReadSharing.html) in the *Amazon Managed Policy Reference Guide*.
## AmazonRedshiftQueryEditorV2ReadWriteSharing
Grants the ability to work with Amazon Redshift query editor v2 with sharing of resources. This policy also grants access to other required services. The principal using this policy can tag its resources (such as queries) to share them with other principals in the same Amazon Web Services account. The granted principal can read and update the resources shared with its team.
You can find the [AmazonRedshiftQueryEditorV2ReadWriteSharing](https://console.amazonaws.cn/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftQueryEditorV2ReadWriteSharing) policy on the IAM console and [AmazonRedshiftQueryEditorV2ReadWriteSharing](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonRedshiftQueryEditorV2ReadWriteSharing.html) in the *Amazon Managed Policy Reference Guide*.
## AmazonRedshiftServiceLinkedRolePolicy
You can't attach AmazonRedshiftServiceLinkedRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows Amazon Redshift to access account resources. For more information, see [Using service-linked roles for Amazon Redshift](https://docs.amazonaws.cn/redshift/latest/mgmt/using-service-linked-roles.html).
You can find the [AmazonRedshiftServiceLinkedRolePolicy](https://console.amazonaws.cn/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftServiceLinkedRolePolicy) policy on the IAM console and [AmazonRedshiftServiceLinkedRolePolicy](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonRedshiftServiceLinkedRolePolicy.html) in the *Amazon Managed Policy Reference Guide*.
## AmazonRedshiftAllCommandsFullAccess
Grants the ability to use the IAM role created from the Amazon Redshift console and set it as default for the cluster to run the COPY from Amazon S3, UNLOAD, CREATE EXTERNAL SCHEMA, CREATE EXTERNAL FUNCTION, and CREATE MODEL commands. The policy also grants permissions to run SELECT statements for related services, such as Amazon S3, CloudWatch Logs, Amazon SageMaker AI, or Amazon Glue.
You can find the [AmazonRedshiftAllCommandsFullAccess](https://console.amazonaws.cn/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftAllCommandsFullAccess) policy on the IAM console and [AmazonRedshiftAllCommandsFullAccess](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonRedshiftAllCommandsFullAccess.html) in the *Amazon Managed Policy Reference Guide*.
## AmazonRedshiftFederatedAuthorization
The policy consolidates IAM actions needed to run a query against a Glue Data Catalog database with Amazon Redshift Federated Permissions. Such query goes through Amazon Glue and therefore needs Get actions on catalog objects to discover the objects, and Create, Update, Rename and Delete actions to modify the objects. Note that the resources are managed by Amazon Redshift, therefore the principal will also need Redshift permissions to complete the query. `glue:FederateAuthorization` action allows Amazon Glue to delegate authorization decisions on the catalog objects to Amazon Redshift.
This policy allows the principal to run queries against the catalog with Amazon Redshift Federated Permissions, but does not allow Registering and Unregistering the Amazon Redshift namespace to Amazon Glue. Refer to documentation on IAM Policy Requirements for Amazon Redshift Federated Permissions Setup.
You can find the [AmazonRedshiftFederatedAuthorization](https://console.amazonaws.cn/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftFederatedAuthorization) policy on the IAM console and [AmazonRedshiftFederatedAuthorization](https://docs.amazonaws.cn/aws-managed-policy/latest/reference/AmazonRedshiftFederatedAuthorization.html) in the *Amazon Managed Policy Reference Guide*.
You can also create your own custom IAM policies to allow permissions for Amazon Redshift API operations and resources. You can attach these custom policies to the IAM roles or groups that require those permissions.
## Permissions required to use Redshift Spectrum
Amazon Redshift Spectrum requires permissions to other Amazon services to access resources. For details about permissions in IAM policies for Redshift Spectrum, see [IAM policies for Amazon Redshift Spectrum](https://docs.amazonaws.cn/redshift/latest/dg/c-spectrum-iam-policies.html) in the *Amazon Redshift Database Developer Guide.*
## Permissions required to use the Amazon Redshift console
For a user to work with the Amazon Redshift console, that user must have a minimum set of permissions that allows the user to describe the Amazon Redshift resources for their Amazon account. These permissions must also allow the user to describe other related information, including Amazon EC2 security, Amazon CloudWatch, Amazon SNS, and network information.
If you create an IAM policy that is more restrictive than the minimum required permissions, the console doesn't function as intended for users with that IAM policy. To ensure that those users can still use the Amazon Redshift console, also attach the `AmazonRedshiftReadOnlyAccess` managed policy to the user. How to do this is described in [Amazon managed policies for Amazon Redshift](#redshift-policy-resources.managed-policies).
For information to give a user access to the query editor on the Amazon Redshift console, see [Permissions required to use the Amazon Redshift console query editor](#redshift-policy-resources.required-permissions.query-editor).
You don't need to allow minimum console permissions for users that are making calls only to the Amazon CLI or the Amazon Redshift API.
## Permissions required to use the Amazon Redshift console query editor
For a user to work with the Amazon Redshift query editor, that user must have a minimum set of permissions to Amazon Redshift and Amazon Redshift Data API operations. To connect to a database using a secret, you must also have Secrets Manager permissions.
To give a user access to the query editor on the Amazon Redshift console, attach the `AmazonRedshiftQueryEditor` and `AmazonRedshiftReadOnlyAccess` Amazon managed policies. The `AmazonRedshiftQueryEditor` policy allows the user permission to retrieve the results of only their own SQL statements. That is, statements submitted by the same `aws:userid` as shown in this section of the `AmazonRedshiftQueryEditor` Amazon managed policy.
```
{
"Sid":"DataAPIIAMStatementPermissionsRestriction",
"Action": [
"redshift-data:GetStatementResult",
"redshift-data:CancelStatement",
"redshift-data:DescribeStatement",
"redshift-data:ListStatements"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"redshift-data:statement-owner-iam-userid": "${aws:userid}"
}
}
}
```
To allow a user to retrieve the results of SQL statements of others in the same IAM role, create your own policy without the condition to limit access to the current user. Also limit access to change a policy to an administrator.
## Permissions required to use the query editor v2
For a user to work with the Amazon Redshift query editor v2, that user must have a minimum set of permissions to Amazon Redshift, the query editor v2 operations, and other Amazon services such as Amazon Key Management Service, Amazon Secrets Manager, and tagging service.
To give a user full access to the query editor v2, attach the `AmazonRedshiftQueryEditorV2FullAccess` Amazon managed policy. The `AmazonRedshiftQueryEditorV2FullAccess` policy allows the user permission to share query editor v2 resources, such as queries, with others in the same team. For details about how access to query editor v2 resources are controlled, see the definition of the specific managed policy for query editor v2 in the IAM console.
Some Amazon Redshift query editor v2 Amazon managed policies use Amazon tags within conditions to scope access to resources. Within query editor v2, sharing queries is based on the tag key and value `"aws:ResourceTag/sqlworkbench-team": "${aws:PrincipalTag/sqlworkbench-team}"` in the IAM policy attached to principal (the IAM role). Principals in the same Amazon Web Services account with the same tag value (for example, `accounting-team`), are on the same team in query editor v2. You can only be associated with one team at a time. A user with administrative permissions can set up teams in the IAM console by giving all team members the same value for the `sqlworkbench-team` tag. If the tag value of the `sqlworkbench-team` is changed for an IAM user or an IAM role, there might be a delay until the change is reflected in shared resources. If the tag value of a resource (such as a query) is changed, again there might be a delay until the change is reflected. Team members must also have the `tag:GetResources` permission to share.
**Example: To add the `accounting-team` tag for an IAM role**
1. Sign in to the Amazon Web Services Management Console and open the IAM console at [https://console.amazonaws.cn/iam/](https://console.amazonaws.cn/iam/).
1. In the navigation pane of the console, choose **Roles** and then choose the name of the role that you want to edit.
1. Choose the **Tags** tab and then choose **Add tags**.
1. Add the tag key **sqlworkbench-team** and the value `accounting-team`.
1. Choose **Save changes**.
Now when an IAM principal (with this IAM role attached) shares a query with the team, other principals with the same `accounting-team` tag value can view the query.
For more information on how to attach a tag to a principal, including IAM roles and IAM users, see [Tagging IAM resources](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.
You can also set up teams at the session level using an Identity Provider (IdP). This allows multiple users using the same IAM role to have different team. The IAM role trust policy must allow the `sts:TagSession` operation. For more information, see [Permissions required to add session tags](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_permissions-required) in the *IAM User Guide*. Add the principal tag attribute to the SAML assertion provided by your IdP.
```
accounting-team
```
Follow the instructions for your Identity provider (IdP) to populate the SAML attribute with the content coming from your directory. For more information about Identity providers (IdPs) and Amazon Redshift, see [Using IAM authentication to generate database user credentials](generating-user-credentials.md) and [Identity providers and federation](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_providers.html) in the *IAM User Guide*.
The `sqlworkbench:CreateNotebookVersion` grants permission to get the current content of notebook cells and create a notebook version on your account. Meaning, at the time of version creation, the current content of the notebook is the same as the version’s content. Later on, the content of the cells in the version stay the same as the current notebook is updated. The `sqlworkbench:GetNotebookVersion` grants permission to get a version of the notebook. A user who doesn’t have `sqlworkbench:BatchGetNotebookCell` permission but has `sqlworkbench:CreateNotebookVersion` and `sqlworkbench:GetNotebookVersion` permissions on a notebook has access to notebook cells in the version. This user without the `sqlworkbench:BatchGetNotebookCell` permission is still able to retrieve the content of a notebook’s cells by first creating a version and then getting this created version.
## Permissions required to use the Amazon Redshift scheduler
When you use the Amazon Redshift scheduler, you set up an IAM role with a trust relationship to the Amazon Redshift scheduler (**scheduler.redshift.amazonaws.com**) to allow the scheduler to assume permissions on your behalf. You also attach a policy (permissions) to the role for the Amazon Redshift API operations that you want to schedule.
The following example shows the policy document in JSON format to set up a trust relationship with the Amazon Redshift scheduler and Amazon Redshift.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"scheduler.redshift.amazonaws.com",
"redshift.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
------
For more information about trust entities, see [Creating a role to delegate permissions to an Amazon service](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*.
You also must add permission for the Amazon Redshift operations you want to schedule.
For the scheduler to use the `ResizeCluster` operation, add a permission that is similar to the following to your IAM policy. Depending on your environment, you might want to make the policy more restrictive.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "redshift:ResizeCluster",
"Resource": "*"
}
]
}
```
------
For the steps to create a role for the Amazon Redshift scheduler, see [Creating a role for an Amazon service (console)](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_create_for-service.html#roles-creatingrole-service-console) in the *IAM User Guide*. Make these choices when you create a role in the IAM console:
+ For **Choose the service that will use this role**: Choose **Redshift**.
+ For **Select your use case**: Choose **Redshift - Scheduler**.
+ Create or attach a policy to the role that allows an Amazon Redshift operation to be scheduled. Choose **Create policy** or modify the role to attach a policy. Enter the JSON policy for the operation that is to be scheduled.
+ After you create the role, edit the **Trust Relationship** of the IAM role to include the service `redshift.amazonaws.com`.
The IAM role you create has trusted entities of `scheduler.redshift.amazonaws.com` and `redshift.amazonaws.com`. It also has an attached policy that allows a supported Amazon Redshift API action, such as, `"redshift:ResizeCluster"`.
## Permissions required to use the Amazon EventBridge scheduler
When you use the Amazon EventBridge scheduler, you set up an IAM role with a trust relationship to the EventBridge scheduler (**events.amazonaws.com**) to allow the scheduler to assume permissions on your behalf. You also attach a policy (permissions) to the role for the Amazon Redshift Data API operations that you want to schedule and a policy for Amazon EventBridge operations.
You use the EventBridge scheduler when you create scheduled queries with the Amazon Redshift query editor on the console.
You can create an IAM role to run scheduled queries on the IAM console. In this IAM role, attach `AmazonEventBridgeFullAccess` and `AmazonRedshiftDataFullAccess`.
The following example shows the policy document in JSON format to set up a trust relationship with the EventBridge scheduler.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"events.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
------
For more information about trust entities, see [Creating a role to delegate permissions to an Amazon service](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*.
For the steps to create a role for the EventBridge scheduler, see [Creating a role for an Amazon service (console)](https://docs.amazonaws.cn/IAM/latest/UserGuide/id_roles_create_for-service.html#roles-creatingrole-service-console) in the *IAM User Guide*. Make these choices when you create a role in the IAM console:
+ For **Choose the service that will use this role**: Choose **CloudWatch Events**.
+ For **Select your use case**: Choose **CloudWatch Events**.
+ Attach the following permission policies: `AmazonEventBridgeFullAccess` and `AmazonRedshiftDataFullAccess`.
The IAM role that you create has a trusted entity of `events.amazonaws.com`. It also has an attached policy that allows supported Amazon Redshift Data API actions, such as, `"redshift-data:*"`.
## Permissions required to use Amazon Redshift machine learning (ML)
Following, you can find a description of the permissions required to use Amazon Redshift machine learning (ML) for different use cases.
For your users to use Amazon Redshift ML with Amazon SageMaker AI, create an IAM role with a more restrictive policy than the default. You can use the policy following. You can also modify this policy to meet your needs.
The following policy shows the permissions required to run SageMaker AI Autopilot with model explainability from Amazon Redshift.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:CreateTrainingJob",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateCompilationJob",
"sagemaker:CreateEndpoint",
"sagemaker:DescribeAutoMLJob",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:ListCandidatesForAutoMLJob",
"sagemaker:StopAutoMLJob",
"sagemaker:StopCompilationJob",
"sagemaker:StopTrainingJob",
"sagemaker:DescribeEndpoint",
"sagemaker:InvokeEndpoint",
"sagemaker:StopProcessingJob",
"sagemaker:CreateModel",
"sagemaker:CreateProcessingJob"
],
"Resource": [
"arn:aws-cn:sagemaker:*:*:model/*redshift*",
"arn:aws-cn:sagemaker:*:*:training-job/*redshift*",
"arn:aws-cn:sagemaker:*:*:automl-job/*redshift*",
"arn:aws-cn:sagemaker:*:*:compilation-job/*redshift*",
"arn:aws-cn:sagemaker:*:*:processing-job/*redshift*",
"arn:aws-cn:sagemaker:*:*:transform-job/*redshift*",
"arn:aws-cn:sagemaker:*:*:endpoint/*redshift*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws-cn:logs:*:*:log-group:/aws/sagemaker/Endpoints/*redshift*",
"arn:aws-cn:logs:*:*:log-group:/aws/sagemaker/ProcessingJobs/*redshift*",
"arn:aws-cn:logs:*:*:log-group:/aws/sagemaker/TrainingJobs/*redshift*",
"arn:aws-cn:logs:*:*:log-group:/aws/sagemaker/TransformJobs/*redshift*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": [
"SageMaker",
"/aws/sagemaker/Endpoints",
"/aws/sagemaker/ProcessingJobs",
"/aws/sagemaker/TrainingJobs",
"/aws/sagemaker/TransformJobs"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetEncryptionConfiguration",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
"s3:PutBucketAcl",
"s3:PutBucketCors",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:CreateBucket"
],
"Resource": [
"arn:aws-cn:s3:::redshift-downloads",
"arn:aws-cn:s3:::redshift-downloads/*",
"arn:aws-cn:s3:::*redshift*",
"arn:aws-cn:s3:::*redshift*/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetEncryptionConfiguration",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
"s3:PutBucketAcl",
"s3:PutBucketCors",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:CreateBucket"
],
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"s3:ExistingObjectTag/Redshift": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws-cn:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"redshift.amazonaws.com",
"sagemaker.amazonaws.com"
]
}
}
}
]
}
```
------
The following policy shows the full minimal permissions to allow access to Amazon DynamoDB, Redshift Spectrum and Amazon RDS federation.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:CreateTrainingJob",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateCompilationJob",
"sagemaker:CreateEndpoint",
"sagemaker:DescribeAutoMLJob",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:ListCandidatesForAutoMLJob",
"sagemaker:StopAutoMLJob",
"sagemaker:StopCompilationJob",
"sagemaker:StopTrainingJob",
"sagemaker:DescribeEndpoint",
"sagemaker:InvokeEndpoint",
"sagemaker:StopProcessingJob",
"sagemaker:CreateModel",
"sagemaker:CreateProcessingJob"
],
"Resource": [
"arn:aws-cn:sagemaker:*:*:model/*redshift*",
"arn:aws-cn:sagemaker:*:*:training-job/*redshift*",
"arn:aws-cn:sagemaker:*:*:automl-job/*redshift*",
"arn:aws-cn:sagemaker:*:*:compilation-job/*redshift*",
"arn:aws-cn:sagemaker:*:*:processing-job/*redshift*",
"arn:aws-cn:sagemaker:*:*:transform-job/*redshift*",
"arn:aws-cn:sagemaker:*:*:endpoint/*redshift*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws-cn:logs:*:*:log-group:/aws/sagemaker/Endpoints/*redshift*",
"arn:aws-cn:logs:*:*:log-group:/aws/sagemaker/ProcessingJobs/*redshift*",
"arn:aws-cn:logs:*:*:log-group:/aws/sagemaker/TrainingJobs/*redshift*",
"arn:aws-cn:logs:*:*:log-group:/aws/sagemaker/TransformJobs/*redshift*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": [
"SageMaker",
"/aws/sagemaker/Endpoints",
"/aws/sagemaker/ProcessingJobs",
"/aws/sagemaker/TrainingJobs",
"/aws/sagemaker/TransformJobs"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetEncryptionConfiguration",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
"s3:PutBucketAcl",
"s3:PutBucketCors",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:CreateBucket"
],
"Resource": [
"arn:aws-cn:s3:::redshift-downloads",
"arn:aws-cn:s3:::redshift-downloads/*",
"arn:aws-cn:s3:::*redshift*",
"arn:aws-cn:s3:::*redshift*/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetEncryptionConfiguration",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
"s3:PutBucketAcl",
"s3:PutBucketCors",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:CreateBucket"
],
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"s3:ExistingObjectTag/Redshift": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:Scan",
"dynamodb:DescribeTable",
"dynamodb:Getitem"
],
"Resource": [
"arn:aws-cn:dynamodb:*:*:table/*redshift*",
"arn:aws-cn:dynamodb:*:*:table/*redshift*/index/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticmapreduce:ListInstances"
],
"Resource": [
"arn:aws-cn:elasticmapreduce:*:*:cluster/*redshift*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticmapreduce:ListInstances"
],
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"elasticmapreduce:ResourceTag/Redshift": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": "arn:aws-cn:lambda:*:*:function:*redshift*"
},
{
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateTable",
"glue:DeleteTable",
"glue:BatchDeleteTable",
"glue:UpdateTable",
"glue:GetTable",
"glue:GetTables",
"glue:BatchCreatePartition",
"glue:CreatePartition",
"glue:DeletePartition",
"glue:BatchDeletePartition",
"glue:UpdatePartition",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition"
],
"Resource": [
"arn:aws-cn:glue:*:*:table/*redshift*/*",
"arn:aws-cn:glue:*:*:catalog",
"arn:aws-cn:glue:*:*:database/*redshift*"
]
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": [
"arn:aws-cn:secretsmanager:*:*:secret:*redshift*"
]
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword",
"secretsmanager:ListSecrets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/Redshift": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws-cn:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"redshift.amazonaws.com",
"glue.amazonaws.com",
"sagemaker.amazonaws.com",
"athena.amazonaws.com"
]
}
}
}
]
}
```
------
Optionally, to use a Amazon KMS key for encryption, add the following permissions to the policy.
```
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": [
"arn:aws:kms:::key/"
]
}
```
To allow Amazon Redshift and SageMaker AI to assume the preceding IAM role to interact with other services, add the following trust policy to the role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"redshift.amazonaws.com",
"sagemaker.amazonaws.com",
"forecast.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
------
In the preceding, the Amazon S3 bucket `redshift-downloads/redshift-ml/` is the location where the sample data used for other steps and examples is stored. You can remove this bucket if you don't need to load data from Amazon S3. Or replace it with other Amazon S3 buckets that you use to load data into Amazon Redshift.
The **your-account-id**, **your-role**, and **your-s3-bucket** values are the account ID, role, and bucket that you specify in your CREATE MODEL command.
Optionally, you can use the Amazon KMS keys section of the sample policy if you specify an Amazon KMS key for use with Amazon Redshift ML. The **your-kms-key** value is the key that you use as part of your CREATE MODEL command.
When you specify a private virtual private cloud (VPC) for a hyperparameter tuning job, add the following permissions.
```
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:CreateNetworkInterfacePermission",
"ec2:DeleteNetworkInterface",
"ec2:DeleteNetworkInterfacePermission",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
]
}
```
To work with model explanation, make sure that you have the permissions to call SageMaker AI API operations. We recommend that you use the `AmazonSageMakerFullAccess` managed policy. If you want to create an IAM role with a more restrictive policy, use the policy following.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteEndpointConfig",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeModel",
"sagemaker:InvokeEndpoint",
"sagemaker:ListTags"
],
"Resource": "*"
}
]
}
```
------
For more information about the `AmazonSageMakerFullAccess` managed policy, see [AmazonSageMakerFullAccess](https://docs.amazonaws.cn/sagemaker/latest/dg/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonSageMakerFullAccess) in the *Amazon SageMaker AI Developer Guide*.
If you want to create Forecast models, we recommend that you use the `AmazonForecastFullAccess` managed policy. If you want to use a more restrictive policy, add the following policy to your IAM role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"forecast:CreateAutoPredictor",
"forecast:CreateDataset",
"forecast:CreateDatasetGroup",
"forecast:CreateDatasetImportJob",
"forecast:CreateForecast",
"forecast:CreateForecastExportJob",
"forecast:DeleteResourceTree",
"forecast:DescribeAutoPredictor",
"forecast:DescribeDataset",
"forecast:DescribeDatasetGroup",
"forecast:DescribeDatasetImportJob",
"forecast:DescribeForecast",
"forecast:DescribeForecastExportJob",
"forecast:StopResource",
"forecast:TagResource",
"forecast:UpdateDatasetGroup"
],
"Resource": "*"
}
]
}
```
------
If you want to create Amazon Bedrock models, we recommend that you use the `AmazonBedrockFullAccess` managed policy. If you want to use a more restrictive policy, add the following policy to your IAM role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "bedrock:InvokeModel",
"Resource": [
"*",
"arn:aws-cn:bedrock:us-east-1::foundation-model/*"
]
}
]
}
```
------
For more information about Amazon Redshift ML, see [Using machine learning in Amazon Redshift](https://docs.amazonaws.cn/redshift/latest/dg/machine_learning.html), [CREATE MODEL](https://docs.amazonaws.cn/redshift/latest/dg/r_CREATE_MODEL.html), or [CREATE EXTERNAL MODEL](https://docs.amazonaws.cn/redshift/latest/dg/r_create_external_model.html).
## Permissions for streaming ingestion
Streaming ingestion works with two services. These are Kinesis Data Streams and Amazon MSK.
### Permissions required to use streaming ingestion with Kinesis Data Streams
A procedure with a managed-policy example is available at [Getting started with streaming ingestion from Amazon Kinesis Data Streams](https://docs.amazonaws.cn/redshift/latest/dg/materialized-view-streaming-ingestion-getting-started.html).
### Permissions required to use streaming ingestion with Amazon MSK
A procedure with a managed-policy example is available at [Getting started with streaming ingestion from Amazon Managed Streaming for Apache Kafka](https://docs.amazonaws.cn/redshift/latest/dg/materialized-view-streaming-ingestion-getting-started-MSK.html).
## Permissions required to use the data sharing API operations
To control access to the data sharing API operations, use IAM action-based policies. For information about how to manage IAM policies, see [Managing IAM policies](https://docs.amazonaws.cn/IAM/latest/UserGuide/access_policies_manage.html) in the *IAM User Guide*.
In particular, suppose that a producer cluster administrator needs to use the `AuthorizeDataShare` call to authorize egress for a datashare outside of an Amazon Web Services account. In this case, you set up an IAM action-based policy to grant this permission. Use the `DeauthorizeDataShare` call to revoke egress.
When using IAM action-based policies, you can also specify an IAM resource in the policy, such as `DataShareARN`. The following shows the format and an example for `DataShareARN`.
```
arn:aws:redshift:region:account-id:datashare:namespace-guid/datashare-name
arn:aws:redshift:us-east-1:555555555555:datashare:86b5169f-01dc-4a6f-9fbb-e2e24359e9a8/SalesShare
```
You can restrict `AuthorizeDataShare` access to a specific datashare by specifying the datashare name in the IAM policy.
```
{
"Statement": [
{
"Action": [
"redshift:AuthorizeDataShare",
],
"Resource": [
"arn:aws:redshift:us-east-1:555555555555:datashare:86b5169f-01dc-4a6f-9fbb-e2e24359e9a8/SalesShare"
],
"Effect": "Deny"
}
]
}
```
You can also restrict the IAM policy to all datashares owned by a specific producer cluster. To do this, replace the **datashare-name** value in the policy with a wildcard or an asterisk. Keep the cluster's `namespace-guid` value.
```
arn:aws:redshift:us-east-1:555555555555:datashare:86b5169f-01dc-4a6f-9fbb-e2e24359e9a8/*
```
Following is an IAM policy that prevents an entity from calling `AuthorizeDataShare` on the datashares owned by a specific producer cluster.
```
{
"Statement": [
{
"Action": [
"redshift:AuthorizeDataShare",
],
"Resource": [
"arn:aws:redshift:us-east-1:555555555555:datashare:86b5169f-01dc-4a6f-9fbb-e2e24359e9a8/*"
],
"Effect": "Deny"
}
]
}
```
`DataShareARN` restricts the access based on both the datashare name and the globally unique ID (GUID) for the owning cluster's namespace. It does this by specifying the name as an asterisk.
## Resource policies for GetClusterCredentials
To connect to a cluster database using a JDBC or ODBC connection with IAM database credentials, or to programmatically call the `GetClusterCredentials` action, you need permission to call the `redshift:GetClusterCredentials` action with access to a `dbuser` resource.
If you use a JDBC or ODBC connection, instead of `server` and `port` you can specify `cluster_id` and `region`, but to do so your policy must permit the `redshift:DescribeClusters` action with access to the `cluster` resource.
If you call `GetClusterCredentials` with the optional parameters `Autocreate`, `DbGroups`, and `DbName`, make sure to also allow the actions and permit access to the resources listed in the following table.
[\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/redshift/latest/mgmt/redshift-iam-access-control-identity-based.html)
For more information about resources, see [Amazon Redshift resources and operations](redshift-iam-access-control-overview.md#redshift-iam-accesscontrol.actions-and-resources).
You can also include the following conditions in your policy:
+ `redshift:DurationSeconds`
+ `redshift:DbName`
+ `redshift:DbUser`
**Important**
For SAML SSO integrations, you may be required to specify an IAM Policy using the `${redshift:DbUser}` variable. In those cases, we strongly recommend the use of a condition statement that ensures a caller cannot obtain credentials for a user which does not match their Amazon userid. E.g. `"StringEquals": {"aws:userid":"AIDIODR4TAW7CSEXAMPLE:${redshift:DbUser}"}"`. See [Example 8: IAM policy for using GetClusterCredentials](#redshift-policy-examples-getclustercredentials). For more information about conditions, see [Specifying conditions in a policy](redshift-iam-access-control-overview.md#redshift-policy-resources.specifying-conditions)
## Customer managed policy examples
In this section, you can find example user policies that grant permissions for various Amazon Redshift actions. These policies work when you are using the Amazon Redshift API, Amazon SDKs, or the Amazon CLI.
**Note**
All examples use the US West (Oregon) Region (`us-west-2`) and contain fictitious account IDs.
### Example 1: Allow user full access to all Amazon Redshift actions and resources
The following policy allows access to all Amazon Redshift actions on all resources.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"AllowRedshift",
"Action": [
"redshift:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
The value `redshift:*` in the `Action` element indicates all of the actions in Amazon Redshift.
### Example 2: Deny a user access to a set of Amazon Redshift actions
By default, all permissions are denied. However, sometimes you need to explicitly deny access to a specific action or set of actions. The following policy allows access to all the Amazon Redshift actions and explicitly denies access to any Amazon Redshift action where the name starts with `Delete`. This policy applies to all Amazon Redshift resources in `us-west-2`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"AllowUSWest2Region",
"Action": [
"redshift:*"
],
"Effect": "Allow",
"Resource": "arn:aws-cn:redshift:us-east-1:111122223333:*"
},
{
"Sid":"DenyDeleteUSWest2Region",
"Action": [
"redshift:Delete*"
],
"Effect": "Deny",
"Resource": "arn:aws-cn:redshift:us-east-1:111122223333:*"
}
]
}
```
------
### Example 3: Allow a user to manage clusters
The following policy allows a user to create, delete, modify, and reboot all clusters, and then denies permission to delete any clusters where the cluster name starts with `protected`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"AllowClusterManagement",
"Action": [
"redshift:CreateCluster",
"redshift:DeleteCluster",
"redshift:ModifyCluster",
"redshift:RebootCluster"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid":"DenyDeleteProtected",
"Action": [
"redshift:DeleteCluster"
],
"Resource": [
"arn:aws-cn:redshift:us-west-2:123456789012:cluster:protected*"
],
"Effect": "Deny"
}
]
}
```
------
### Example 4: Allow a user to authorize and revoke snapshot access
The following policy allows a user, for example User A, to do the following:
+ Authorize access to any snapshot created from a cluster named `shared`.
+ Revoke snapshot access for any snapshot created from the `shared` cluster where the snapshot name starts with `revokable`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"AllowSharedSnapshots",
"Action": [
"redshift:AuthorizeSnapshotAccess"
],
"Resource": [
"arn:aws-cn:redshift:us-west-2:123456789012:shared/*"
],
"Effect": "Allow"
},
{
"Sid":"AllowRevokableSnapshot",
"Action": [
"redshift:RevokeSnapshotAccess"
],
"Resource": [
"arn:aws-cn:redshift:us-west-2:123456789012:snapshot:*/revokable*"
],
"Effect": "Allow"
}
]
}
```
------
If User A has allowed User B to access a snapshot, User B must have a policy such as the following to allow User B to restore a cluster from the snapshot. The following policy allows User B to describe and restore from snapshots, and to create clusters. The name of these clusters must start with `from-other-account`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"AllowDescribeSnapshots",
"Action": [
"redshift:DescribeClusterSnapshots"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid":"AllowUserRestoreFromSnapshot",
"Action": [
"redshift:RestoreFromClusterSnapshot"
],
"Resource": [
"arn:aws-cn:redshift:us-west-2:123456789012:snapshot:*/*",
"arn:aws-cn:redshift:us-west-2:444455556666:cluster:from-other-account*"
],
"Effect": "Allow"
}
]
}
```
------
### Example 5: Allow a user to copy a cluster snapshot and restore a cluster from a snapshot
The following policy allows a user to copy any snapshot created from the cluster named `big-cluster-1`, and restore any snapshot where the snapshot name starts with `snapshot-for-restore`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"AllowCopyClusterSnapshot",
"Action": [
"redshift:CopyClusterSnapshot"
],
"Resource": [
"arn:aws-cn:redshift:us-west-2:123456789012:snapshot:big-cluster-1/*"
],
"Effect": "Allow"
},
{
"Sid":"AllowRestoreFromClusterSnapshot",
"Action": [
"redshift:RestoreFromClusterSnapshot"
],
"Resource": [
"arn:aws-cn:redshift:us-west-2:123456789012:snapshot:*/snapshot-for-restore*",
"arn:aws-cn:redshift:us-west-2:123456789012:cluster:*"
],
"Effect": "Allow"
}
]
}
```
------
### Example 6: Allow a user access to Amazon Redshift, and common actions and resources for related Amazon services
The following example policy allows access to all actions and resources for Amazon Redshift, Amazon Simple Notification Service (Amazon SNS), and Amazon CloudWatch. It also allows specified actions on all related Amazon EC2 resources under the account.
**Note**
Resource-level permissions are not supported for the Amazon EC2 actions that are specified in this example policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"AllowRedshift",
"Effect": "Allow",
"Action": [
"redshift:*"
],
"Resource": [
"*"
]
},
{
"Sid":"AllowSNS",
"Effect": "Allow",
"Action": [
"sns:*"
],
"Resource": [
"*"
]
},
{
"Sid":"AllowCloudWatch",
"Effect": "Allow",
"Action": [
"cloudwatch:*"
],
"Resource": [
"*"
]
},
{
"Sid":"AllowEC2Actions",
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"Resource": [
"*"
]
}
]
}
```
------
### Example 7: Allow a user to tag resources with the Amazon Redshift console
The following example policy allows a user to tag resources with the Amazon Redshift console using the Amazon Resource Groups. This policy can be attached to a user role that invokes the new or original Amazon Redshift console. For more information about tagging, see [Tag resources in Amazon Redshift](amazon-redshift-tagging.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"TaggingPermissions",
"Effect": "Allow",
"Action": [
"redshift:DeleteTags",
"redshift:CreateTags",
"redshift:DescribeTags",
"tag:UntagResources",
"tag:TagResources"
],
"Resource": "*"
}
]
}
```
------
## Example 8: IAM policy for using GetClusterCredentials
The following policy uses these sample parameter values:
+ Region: `us-west-2`
+ Amazon Account: `123456789012`
+ Cluster name: `examplecluster`
The following policy enables the `GetCredentials`, `CreateClusterUser`, and `JoinGroup` actions. The policy uses condition keys to allow the `GetClusterCredentials` and `CreateClusterUser` actions only when the Amazon user ID matches `"AIDIODR4TAW7CSEXAMPLE:${redshift:DbUser}@yourdomain.com"`. IAM access is requested for the `"testdb"` database only. The policy also allows users to join a group named `"common_group"`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"GetClusterCredsStatement",
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials"
],
"Resource": [
"arn:aws-cn:redshift:us-west-2:123456789012:dbuser:examplecluster/${redshift:DbUser}",
"arn:aws-cn:redshift:us-west-2:123456789012:dbname:examplecluster/testdb",
"arn:aws-cn:redshift:us-west-2:123456789012:dbgroup:examplecluster/common_group"
],
"Condition": {
"StringEquals": {
"aws:userid":"AIDIODR4TAW7CSEXAMPLE:${redshift:DbUser}@yourdomain.com"
}
}
},
{
"Sid":"CreateClusterUserStatement",
"Effect": "Allow",
"Action": [
"redshift:CreateClusterUser"
],
"Resource": [
"arn:aws-cn:redshift:us-west-2:123456789012:dbuser:examplecluster/${redshift:DbUser}"
],
"Condition": {
"StringEquals": {
"aws:userid":"AIDIODR4TAW7CSEXAMPLE:${redshift:DbUser}@yourdomain.com"
}
}
},
{
"Sid":"RedshiftJoinGroupStatement",
"Effect": "Allow",
"Action": [
"redshift:JoinGroup"
],
"Resource": [
"arn:aws-cn:redshift:us-west-2:123456789012:dbgroup:examplecluster/common_group"
]
}
]
}
```
------
The following example shows a policy that allows the IAM role to call the `GetClusterCredentials` operation. Specifying the Amazon Redshift `dbuser` resource grants the role access to the database user name ` temp_creds_user` on the cluster named ` examplecluster`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "redshift:GetClusterCredentials",
"Resource": "arn:aws-cn:redshift:us-west-2:123456789012:dbuser:examplecluster/temp_creds_user"
}
}
```
------
You can use a wildcard (\$1) to replace all, or a portion of, the cluster name, user name, and database group names. The following example allows any user name beginning with `temp_` with any cluster in the specified account.
**Important**
The statement in the following example specifies a wildcard character (\$1) as part of the value for the resource so that the policy permits any resource that begins with the specified characters. Using a wildcard character in your IAM policies might be overly permissive. As a best practice, we recommend using the most restrictive policy feasible for your business application.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "redshift:GetClusterCredentials",
"Resource": "arn:aws-cn:redshift:us-west-2:123456789012:dbuser:*/temp_*"
}
}
```
------
The following example shows a policy that allows the IAM role to call the `GetClusterCredentials` operation with the option to automatically create a new user and specify groups the user joins at login. The `"Resource": "*" `clause grants the role access to any resource, including clusters, database users, or user groups.
**Important**
The statement in the following example specifies a wildcard character (\$1) as the resource for the given actions, so that the policy permits access to any cluster and database users, and allows creating any user. Using a wildcard character in your IAM policies might be overly permissive. As a best practice, we recommend using the most restrictive policy feasible for your business application.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials",
"redshift:CreateClusterUser",
"redshift:JoinGroup"
],
"Resource": "*"
}
}
```
------
For more information, see [Amazon Redshift ARN syntax](https://docs.amazonaws.cn/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-redshift).