Configure authorization for your Amazon Redshift data warehouse
To replicate data from your integration source into your Amazon Redshift data warehouse, you must initially add the following two entities:
-
Authorized principal – identifies the user or role that can create zero-ETL integrations into the data warehouse.
-
Authorized integration source – identifies the source database that can update the data warehouse.
You can configure authorized principals and authorized integration sources from the
Resource Policy tab on the Amazon Redshift console or using the Amazon Redshift
PutResourcePolicy
API operation.
Add authorized principals
To create a zero-ETL integration into your Redshift Serverless workgroup or provisioned cluster, authorize access to the associated namespace or provisioned cluster.
You can skip this step if both of the following conditions are true:
-
The Amazon Web Services account that owns the Redshift Serverless workgroup or provisioned cluster also owns the source database.
-
That principal is associated with an identity-based IAM policy with permissions to create zero-ETL integrations into this Redshift Serverless namespace or provisioned cluster.
Add authorized principals to an Amazon Redshift Serverless namespace
-
In the Amazon Redshift console, in the left navigation pane, choose Redshift Serverless.
-
Choose Namespace configuration, then choose your namespace, and go to the Resource Policy tab.
-
Choose Add authorized principals.
-
For each authorized principal that you want to add, enter into the namespace either the ARN of the Amazon user or role, or the ID of the Amazon Web Services account that you want to grant access to create zero-ETL integrations. An account ID is stored as an ARN.
-
Choose Save changes.
Add authorized principals to an Amazon Redshift provisioned cluster
-
In the Amazon Redshift console, in the left navigation pane, choose Provisioned clusters dashboard.
-
Choose Clusters, then choose the cluster, and go to the Resource Policy tab.
-
Choose Add authorized principals.
-
For each authorized principal that you want to add, enter into the cluster either the ARN of the Amazon user or role, or the ID of the Amazon Web Services account that you want to grant access to create zero-ETL integrations. An account ID is stored as an ARN.
-
Choose Save changes.
Add authorized integration sources
To allow your source to update your Amazon Redshift data warehouse, you must add it as an authorized integration source to the namespace.
Add an authorized integration source to an Amazon Redshift Serverless namespace
-
In the Amazon Redshift console, go to Serverless dashboard.
-
Choose the name of the namespace.
-
Go to the Resource Policy tab.
-
Choose Add authorized integration source.
-
Specify the ARN of the source for the zero-ETL integration.
Note
Removing an authorized integration source stops data from replicating into the namespace. This action deactivates all zero-ETL integrations from that source into this namespace.
Add an authorized integration source to an Amazon Redshift provisioned cluster
-
In the Amazon Redshift console, go to Provisioned clusters dashboard.
-
Choose the name of the provisioned cluster.
-
Go to the Resource Policy tab.
-
Choose Add authorized integration source.
-
Specify the ARN of the source that's the data source for the zero-ETL integration.
Note
Removing an authorized integration source stops data from replicating into the provisioned cluster. This action deactivates all zero-ETL integrations from that source into this Amazon Redshift provisioned cluster.
Configure authorization using the Amazon Redshift API
You can use the Amazon Redshift API operations to configure resource policies that work with zero-ETL integrations.
To control the source that can create an inbound integration into the namespace, create a resource policy and attach it to the namespace. With the resource policy, you can specify the source that has access to the integration. The resource policy is attached to the namespace of your target data warehouse to allow the source to create an inbound integration to replicate live data from the source into Amazon Redshift.
The following is a sample resource policy.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "redshift.amazonaws.com" }, "Action": "redshift:AuthorizeInboundIntegration", "Condition": { "StringEquals": { "aws:SourceArn": "
source_arn
" } } }, { "Effect": "Allow", "Principal": { "AWS": "source_principal
" }, "Action": "redshift:CreateInboundIntegration" } ] }
The following summarizes the Amazon Redshift API operations applicable to configuring resource policies for integrations:
-
Use the PutResourcePolicy API operation to persist the resource policy. When you provide another resource policy, the previous resource policy on the resource is replaced. Use the previous example resource policy, which grants permissions for the following actions:
-
CreateInboundIntegration
– Allows the source principal to create an inbound integration for data to be replicated from the source into the target data warehouse. -
AuthorizeInboundIntegration
– Allows Amazon Redshift to continuously validate that the target data warehouse can receive data replicated from the source ARN.
-
-
Use the GetResourcePolicy API operation is to view existing resource policies.
-
Use the DeleteResourcePolicy API operation to remove a resource policy from the resource.
To update a resource policy, you can also use the put-resource-policy Amazon CLI command. For example, to put a resource policy on your Amazon Redshift namespace ARN for a DynamoDB source, run a Amazon CLI command similar to the following.
aws redshift put-resource-policy \ --policy file://rs-rp.json \ --resource-arn "arn:aws:redshift-serverless:us-east-1:123456789012:namespace/cc4ffe56-ad2c-4fd1-a5a2-f29124a56433"
Where rs-rp.json
contains:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "redshift.amazonaws.com" }, "Action": "redshift:AuthorizeInboundIntegration", "Resource": "arn:aws:redshift-serverless:us-east-1:123456789012:namespace/cc4ffe56-ad2c-4fd1-a5a2-f29124a56433", "Condition": { "StringEquals": { "aws:SourceArn": "arn:aws:dynamodb:us-east-1:123456789012:table/test_ddb" } } }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "redshift:CreateInboundIntegration", "Resource": "arn:aws:redshift-serverless:us-east-1:123456789012:namespace/cc4ffe56-ad2c-4fd1-a5a2-f29124a56433" } ] }