Redshift Serverless
Source
Redshift Serverless uses the Redshift Data API to access data stored in Redshift. Unlike our standard Redshift connector, Serverless utilizes IAM roles for authorization.
The role should should have permission for the following IAM actions :
redshift-data:CancelStatementredshift-data:DescribeStatementredshift-data:DescribeTableredshift-data:ExecuteStatementredshift-data:GetStatementResultredshift-data:ListDatabasesredshift-data:ListSchemasredshift-data:ListTablesredshift-serverless:GetCredentials
As an example, this permission policy grants the necessary permissions for all Redshift Serverless workgroups in the account:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"redshift-data:CancelStatement",
"redshift-data:DescribeStatement"
"redshift-data:DescribeTable",
"redshift-data:ExecuteStatement",
"redshift-data:GetStatementResult",
"redshift-data:ListDatabases",
"redshift-data:ListSchemas",
"redshift-data:ListTables",
"redshift-serverless:GetCredentials",
],
"Resource": "*"
}
]
}
The role's trust policy must be configured to allow Polytomic (AWS Account ID 568237466542) to assume the role. An external identifier is displayed when the connection is created, which may be used to further limit access to the role.
As an example, your trust policy will look something like the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::568237466542:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "a1efa791-4530-43a0-962d-74e2ccf18309"
}
}
}
]
}
The value for sts:ExternalId will be unique to your Polytomic organization and displayed when creating the connection.
Updated 6 months ago