Configure an assume role for Amazon Redshift

Generate temporary security credential policies for Amazon Redshift

IAM user

An IAM user must have the sts:AssumeRole policy to use the temporary security credentials in the same or different AWS account. The IAM user credentials are used to key-in the Redshift access key and Redshift secret key in the connection properties.

The following sample policy allows an IAM user to use the temporary security credentials in an AWS account:

{
"Version":"2012-10-17",
"Statement":
{ "Effect":"Allow",
"Action":"sts:AssumeRole",
"Resource":"arn:aws:iam::<ACCOUNT-HYPHENS>:role/<REDSHIFT-IAM-ROLE-NAME>"
}
}

Redshift IAM role trust policy

The Redshift IAM role policy pertains to the role that is specified in the Redshift IAM Role ARN. An IAM role must have a trust policy attached with it to allow the IAM user to access Redshift using the temporary security credentials.

The following policy is a sample trust policy:

{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{ "AWS":"arn:aws:iam::AWS-account-ID:<IAM-USER>" },
"Action":"sts:AssumeRole"
}
]
}
}

For example, you can specify the role or user in the following format:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AWS-account>:role/<name-of-the-role>"
},
"Action": "sts:AssumeRole"
}
]
}


{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": " arn:aws:iam::<AWS-account>:user/<name-of-the-user>"
},
"Action": "sts:AssumeRole"
}
]
}

Redshift IAM role trust policy for mappings in advanced mode

An IAM role must have a trust policy attached with it to allow the worker node to assume the Redshift role and access Amazon Redshift through the AssumeRole.

The following policy is a sample trust policy:

{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::<ACCOUNT-ID>:role/<WORKER-NODE-ROLE-ARN>" },
"Action": "sts:AssumeRole"
}

Minimum permission policies of the Redshift IAM role

The following policy shows the permissions required to the Redshift IAM Role, which will be assumed by an IAM user to connect to the Redshift database using an existing Amazon Redshift user:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials",

"redshift:DescribeClusters"
],

"Resource": [
"arn:aws:redshift:<REGION>:<ACCOUNT-ID>:dbuser:<Cluster_Identifier>/<USER_NAME>",

"arn:aws:redshift:<REGION>:<ACCOUNT-ID>:dbname:<Cluster_Identifier>/<DATABASE_NAME>"

]

}
}
]
}
}

The following policy shows the permissions needed to be attached to the Redshift IAM Role, which will be assumed by an IAM user to connect to the Redshift database with a newly created user by the Auto create DBUser check box:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [
"redshift:GetClusterCredentials",

"redshift:DescribeClusters",

"redshift:CreateClusterUser",

"redshift:JoinGroup"
],

"Resource": [
"arn:aws:redshift:<REGION>:<ACCOUNT-ID>:dbuser:<Cluster_Identifier>/<USER_NAME>",

"arn:aws:redshift:<REGION>:<ACCOUNT-ID>:dbname:<Cluster_Identifier>/<DATABASE_NAME>",

"arn:aws:redshift:<REGION>:<ACCOUNT-ID>:dbgroup:<Cluster_Identifier>/<GROUP_NAME>"
]
}

}

]

}

Generate temporary security credentials using AssumeRole for EC2

• •To use temporary security credentials using AssumeRole for EC2, install the Secure Agent on an AWS service such as Amazon EC2.
• •The EC2 role attached to the AWS EC2 service must not have access to Amazon Redshift but needs to have permission to assume another IAM role.
• •The IAM role that needs to be assumed by the EC2 role must have a permission policy and a trust policy attached to it.

EC2 service role trust policy

The following is a sample trust policy that is defined in a trust relationship of the EC2 role attached to the EC2 instance:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}