Identity and access management in Amazon Redshift Serverless
Access to Amazon Redshift requires credentials that Amazon can use to authenticate your requests. Those credentials must have permissions to access Amazon resources, such as Amazon Redshift Serverless.
The following sections provide details about how you can use Amazon Identity and Access Management (IAM) and Amazon Redshift to help secure your resources by controlling who can access them. For more information, see Identity and access management in Amazon Redshift.
Granting permissions to Amazon Redshift Serverless
To access other Amazon services, Amazon Redshift Serverless requires permissions.
Authorizing Amazon Redshift Serverless to access other Amazon services for you
Some Amazon Redshift features require Amazon Redshift to access other Amazon services on your behalf. For your Amazon Redshift Serverless instance to act for you, supply security credentials to it. The preferred method to supply security credentials is to specify an Amazon Identity and Access Management (IAM) role. You can also create an IAM role through the Amazon Redshift console and set it as the default. For more information, see Creating an IAM role as default for Amazon Redshift.
To access other Amazon services, create an IAM role with the appropriate permissions.
You also need to associate the role with Amazon Redshift Serverless. In
addition, either specify the Amazon Resource Name (ARN) of the role when you run the
Amazon Redshift command or specify the default
keyword.
When changing the trust relationship for the IAM role in the
https://console.amazonaws.cn/iam/redshift-serverless.amazonaws.com
and redshift.amazonaws.com
as principal service names.
For information about how to manage IAM roles to access other Amazon services on your
behalf, see Authorizing Amazon Redshift to access other Amazon services
on your behalf.
Creating an IAM role as default for Amazon Redshift
When you create IAM roles through the Amazon Redshift console, Amazon Redshift programmatically creates the roles in your Amazon Web Services account. Amazon Redshift also automatically attaches existing Amazon managed policies to them. This approach means that you can stay within the Amazon Redshift console and don't have to switch to the IAM console for role creation.
The IAM role that you create through the console for your cluster has the
AmazonRedshiftAllCommandsFullAccess
managed policy automatically
attached. This IAM role allows Amazon Redshift to copy, unload, query, and analyze data
for Amazon resources in your IAM account. The related commands include COPY,
UNLOAD, CREATE EXTERNAL FUNCTION, CREATE EXTERNAL TABLE, CREATE EXTERNAL SCHEMA,
CREATE MODEL, and CREATE LIBRARY. For more information about how to create an IAM
role as default for Amazon Redshift, see Creating an IAM role as default for Amazon Redshift.
To get started creating an IAM role as default for Amazon Redshift, open the Amazon Web Services Management Console, choose the Amazon Redshift console, and then choose Redshift Serverless in the menu. From the Serverless dashboard you can create a new workgroup. The creation steps walk you selecting an IAM role or configuring a new IAM one.
When you have an existing Amazon Redshift Serverless workgroup and you want to configure IAM roles for it, open the Amazon Web Services Management Console. Choose the Amazon Redshift console, and then choose Redshift Serverless. On the Amazon Redshift Serverless console, choose Namespace configuration for an existing workgroup. Under Security and encryption, you can edit the permissions.
Assigning IAM roles to a namespace
Each IAM role is an Amazon identity with permissions policies that determine what actions each role can perform
in Amazon. The role is intended to be assumable
by anyone who needs it. Additionally, each namespace is a collection of objects, like tables and schemas, and users. When you use Amazon Redshift Serverless, you can associate multiple IAM roles with your namespace. This
makes it easier to structure your permissions appropriately for a collection of database objects, so roles can perform actions on
both internal and external data. For example, so you can run a COPY
command in an Amazon Redshift database to retrieve data from Amazon S3 and
populate a Redshift table.
You can associate multiple roles to a namespace using the console, as described previously in this section. You can also use the API command CreateNamespace
, or the
CLI command create-namespace
. With the API or CLI command, you can assign IAM roles to the namespace by populating IAMRoles
with one or more
roles. Specifically, you add ARNs for specific roles to the collection.
Managing namespace associated IAM roles
On the Amazon Web Services Management Console you can manage permissions policies for roles in Amazon Identity and Access Management. You can manage IAM roles for the namespace, using settings available under Namespace configuration. For more information about namespaces and their use in Amazon Redshift Serverless, see Overview of Amazon Redshift Serverless workgroups and namespaces.
Getting started with IAM credentials for Amazon Redshift
When you sign in to the Amazon Redshift console for the first time and first try out Amazon Redshift Serverless, we recommend that you sign in as a user with an attached IAM role that has the policies required. After you get started creating an Amazon Redshift Serverless instance, Amazon Redshift records the IAM role name that you used to sign in. You can use the same credentials to sign in to the Amazon Redshift console and the Amazon Redshift Serverless console.
While creating the Amazon Redshift Serverless instance, you can create a database. Use the query editor v2 to connect to the database with the temporary credentials option.
To add a new admin user name and password that persist for the database, choose Customize admin user credentials and enter a new admin user name and admin user password.
To get started using Amazon Redshift Serverless and create a workgroup and namespace in the
console for the first time, use an IAM role with a permissions policy attached. Make sure that this
role has either the administrator permission
arn:aws:iam::aws:policy/AdministratorAccess
or the full Amazon Redshift permission
arn:aws:iam::aws:policy/AmazonRedshiftFullAccess
attached to the IAM
policy.
The following scenarios outline how your IAM credentials are used by Amazon Redshift Serverless when you get started on the Amazon Redshift Serverless console:
If you choose Use default settings – Amazon Redshift Serverless translates your current IAM identity to a database superuser. You can use the same IAM identity with the Amazon Redshift Serverless console to perform superuser actions in your database in Amazon Redshift Serverless.
If you choose Customize settings without specifying the Admin user name and password Amazon Redshift Serverless, your current IAM credentials are used as your default admin user credentials.
If you choose Customize settings and specify Admin user name and password Amazon Redshift Serverless – Amazon Redshift Serverless translates your current IAM identity to a database superuser. Amazon Redshift Serverless also creates another long-term login username and password pair also as a superuser. You can either use your current IAM identity or the created username and password pair to login in to your database as a superuser.
Managing access to Amazon Redshift Serverless database objects with database-role permissions
This procedure shows how to grant permission to query a table through an Amazon Redshift database role. The role is assigned by means of a tag that's attached to a user in IAM and passed to Amazon Redshift when they sign in. It's an explanation by example of the concepts in Defining database roles to grant to federated users in Amazon Redshift Serverless. The benefit of completing these steps is that you can associate a user with a database role and avoid setting their permissions for each database object. It simplifies managing the user's ability to query, modify, or add data to tables and to perform other actions.
The procedure assumes you have already set up an Amazon Redshift Serverless database and you have the ability to grant permissions in the database. It also assumes you have permissions to create an IAM user in the Amazon console, to create an IAM role, and to assign policy permissions.
Create an IAM user, using the IAM console. Later, you will connect to the database with this user.
Create a Redshift database role, using query editor v2 or another SQL client. For more information on creating database roles, see CREATE ROLE.
CREATE ROLE urban_planning;
Query the SVV_ROLES system view to check that your role is created. It also returns system roles.
SELECT * from SVV_ROLES;
-
Grant the database role you created permission to select from a table. (The IAM user you created will eventually sign in and select records from the table by means of the database role.) The role name and table name in the following code example are samples. Here, permission is granted to select from a table named
cities
.GRANT SELECT on TABLE cities to ROLE urban_planning;
Use the Amazon Identity and Access Management console to create an IAM role. This role grants permission to use query editor v2. Create a new IAM role and, for the trusted entity type, choose Amazon account. Then choose This account. Give the role the following policy permissions:
AmazonRedshiftReadOnlyAccess
tag:GetResources
tag:GetTagKeys
All actions for sqlworkbench, including
sqlworkbench:ListDatabases
andsqlworkbench:UpdateConnection
.
In the IAM console, add a tag with the Key
RedshiftDbRoles
to the IAM user you created previously. The tag's value should match the database role you created in the first step. It'surban_planning
in the sample.
After you complete these steps, assign the IAM role to the user you created in the IAM console. When the user signs in to the database with query editor v2, their database
role name in the tag is passed to Amazon Redshift and associated with them. Thus, they can query the
appropriate tables by means of the database role. To illustrate, the user in this sample can query
the cities
table through the urban_planning
database role.