Redshift Serverless
Source
Redshift Serverless uses the Redshift Data API to access data stored in Redshift. Unlike our standard Redshift connector, Serverless utilizes IAM roles for authorization.
The role should should have permission for the following IAM actions :
redshift-data:CancelStatementredshift-data:DescribeStatementredshift-data:DescribeTableredshift-data:ExecuteStatementredshift-data:GetStatementResultredshift-data:ListDatabasesredshift-data:ListSchemasredshift-data:ListTablesredshift-serverless:GetCredentials
As an example, this permission policy grants the necessary permissions for all Redshift Serverless workgroups in the account:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"redshift-data:CancelStatement",
"redshift-data:DescribeStatement"
"redshift-data:DescribeTable",
"redshift-data:ExecuteStatement",
"redshift-data:GetStatementResult",
"redshift-data:ListDatabases",
"redshift-data:ListSchemas",
"redshift-data:ListTables",
"redshift-serverless:GetCredentials",
],
"Resource": "*"
}
]
}
The role's trust policy must be configured to allow Polytomic (AWS Account ID 568237466542) to assume the role. An external identifier is displayed when the connection is created, which may be used to further limit access to the role.
As an example, your trust policy will look something like the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::568237466542:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "a1efa791-4530-43a0-962d-74e2ccf18309"
}
}
}
]
}
The value for sts:ExternalId will be unique to your Polytomic organization and displayed when creating the connection.
Using Redshift Serverless as a Bulk Sync source
Redshift Serverless connections can be used as the source for a bulk sync. If an S3 bucket is available, Polytomic can use UNLOAD to extract data from Redshift, which may be more efficient.
To configure Polytomic to use UNLOAD, check "Unload data to S3" in the connection configuration and enter the bucket name and region.
The IAM Policy must have permission to read, write, and list objects in the bucket. If the staging bucket is named unload-example, then the following IAM policy grants the required permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectAttributes",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::unload-example",
"arn:aws:s3:::unload-example/*"
]
}
]
}
Redshift must also be able to assume the role in order to perform the unload operation. The previous example trust policy should look something like the following when using UNLOAD:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::568237466542:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "a1efa791-4530-43a0-962d-74e2ccf18309"
}
}
},
{
"Effect": "Allow",
"Principal": {
"Service": "redshift.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Updated 8 days ago