To use the Redshift IAM role ARN, configure the Redshift IAM role ARN with the required trust policies to generate temporary security credentials to access Amazon Redshift.
You can use one of the following options to generate the temporary security credentials:
AWS configurations
Connection details
Option 1. Configure an AssumeRole to enable an IAM user.
To use the AssumeRole for the IAM user, specify the following IAM user details:
- Redshift Access Key ID
- Redshift Secret Access Key
- Redshift IAM Role ARN
Option 2. Define an EC2 instance to assume a Redshift IAM role.
To use the AssumeRole for Amazon EC2:
- Specify the Redshift IAM Role ARN value.
- Enable the Use EC2 Role to Assume Role check box.
For application ingestion and replication tasks and database ingestion and replication tasks, use Option 2 to have an EC2 role assume the Redshift IAM role.
Generate the temporary security credentials based on your requirement.
Generate temporary security credential policies for Amazon Redshift
To use the temporary security credentials to connect to Amazon Redshift, both the IAM user and IAM role require policies.
The following section lists the policies required for the IAM user and IAM role:
IAM user
An IAM user must have the sts:AssumeRole policy to use the temporary security credentials in the same or different AWS account. The IAM user credentials are used to key-in the Redshift access key and Redshift secret key in the connection properties.
The following sample policy allows an IAM user to use the temporary security credentials in an AWS account:
Note: To run mappings in advanced mode, ensure to assign this policy to the Worker node role.
Redshift IAM role trust policy
The Redshift IAM role policy pertains to the role that is specified in the Redshift IAM Role ARN. An IAM role must have a trust policy attached with it to allow the IAM user to access Redshift using the temporary security credentials.
Redshift IAM role trust policy for mappings in advanced mode
An IAM role must have a trust policy attached with it to allow the worker node to assume the Redshift role and access Amazon Redshift through the AssumeRole.
Minimum permission policies of the Redshift IAM role
The following policy shows the permissions required to the Redshift IAM Role, which will be assumed by an IAM user to connect to the Redshift database using an existing Amazon Redshift user:
The following policy shows the permissions needed to be attached to the Redshift IAM Role, which will be assumed by an IAM user to connect to the Redshift database with a newly created user by the Auto create DBUser check box:
Generate temporary security credentials using AssumeRole for EC2
You can use temporary security credentials using AssumeRole for an Amazon EC2 role to connect to Amazon Redshift from the same or different AWS accounts.
The Amazon EC2 role can assume another IAM role from the same or different AWS account without requiring a Redshift access key and Redshift secret key.
Consider the following prerequisites when you use temporary security credentials using AssumeRole for EC2:
•To use temporary security credentials using AssumeRole for EC2, install the Secure Agent on an AWS service such as Amazon EC2.
•The EC2 role attached to the AWS EC2 service must not have access to Amazon Redshift but needs to have permission to assume another IAM role.
•The IAM role that needs to be assumed by the EC2 role must have a permission policy and a trust policy attached to it.
To configure an EC2 role to assume the IAM Role provided in the Redshift IAM Role ARN connection property, select the Use EC2 Role to Assume Role check box in the connection properties.
EC2 service role trust policy
The following is a sample trust policy that is defined in a trust relationship of the EC2 role attached to the EC2 instance: