Create an Amazon Redshift V2 connection to read from or write data to Amazon Redshift.
Prepare for authentication
You can configure Default and Redshift IAM Authentication via AssumeRole authentication types in an Amazon Redshift V2 connection to connect to Amazon Redshift. Additionally, you need to complete the S3 staging prerequisites to access S3 resources. You can also configure encryption, if required, to connect to Amazon Redshift.
Note: Application ingestion and replication and database ingestion and replication tasks do not support Redshift IAM authentication via AssumeRole unless you use an EC2 instance to assume the role.
See the following sections for a summary of the authentication, staging, and encryption prerequisites.
Authentication prerequisites
Before you begin, you need to have a registered user account with Amazon Redshift.
Get the minimum required details from your Amazon Redshift account from the AWS Console for the authentication type that you want to configure, as listed in the following table:
Default authentication
Redshift IAM Authentication via Assume Role
- JDBC URL
- User name
- Password
- JDBC URL
- User name
- Database name
- Cluster identifier
- Redshift IAM role ARN*
*To use the Redshift IAM role ARN, configure the Redshift IAM role ARN with the required trust policies to generate temporary security credentials to access Amazon Redshift.
To enable staging on Amazon S3 and to gain access to S3 resources when you read or write data, you need to configure the staging properties in the Amazon Redshift V2 connection.
The following table summarizes the staging options that you can configure in the connection for both default and Redshift IAM Authentication via AssumeRole authentication and the tasks that you need to perform to get the required details for S3 staging:
S3 staging options
Tasks
Generate temporary credentials for the IAM user who assumes the S3 IAM role to access S3 staging.
AWS configurations
Enable IAM users to assume an S3 IAM role and generate temporary credentials.
2Create an IAM user, assign the policy to that user, and then generate the S3 access key ID and S3 secret access key in the AWS console.
For more information about how to create an IAM user and generate keys, see the AWS documentation.
Redshift V2 connection configurations
Enter the S3 Access Key ID and S3 Secret Access Key values.
Configure IAM authentication
AWS configurations
If you have an EC2 instance, and do not want to specify the keys or use the IAM role ARN, then assign the minimum policy to the EC2 with access to the S3 bucket.
In this case, you do not need to enable or specify any of the staging properties in the connection.
Encryption prerequisites
To configure client-side and server-side encryption for the Default authentication and Redshift IAM authentication via AssumeRole during staging, see Enable encryption.
Create a minimal Amazon IAM policy
To stage the data in Amazon S3, you need to create an IAM policy with the minimum required permissions to access the S3 resources.
You can either attach the policy to the IAM user and generate the S3 access key ID and S3 secret access keys to access S3 resources. Or, if you have an EC2 instance, you can assign the minimum policy to the EC2 instance to access the S3 bucket for staging.
You need the following minimum required permissions in the policy:
•PutObject
•GetObject
•DeleteObject
•ListBucket
You can use the following sample Amazon IAM policy:
To use the Redshift IAM role ARN, configure the Redshift IAM role ARN with the required trust policies to generate temporary security credentials to access Amazon Redshift.
You can use one of the following options to generate the temporary security credentials:
AWS configurations
Connection details
Option 1. Configure an AssumeRole to enable an IAM user.
To use the AssumeRole for the IAM user, specify the following IAM user details:
- Redshift Access Key ID
- Redshift Secret Access Key
- Redshift IAM Role ARN
Option 2. Define an EC2 instance to assume a Redshift IAM role.
To use the AssumeRole for Amazon EC2:
- Specify the Redshift IAM Role ARN value.
- Enable the Use EC2 Role to Assume Role check box.
For application ingestion and replication tasks and database ingestion and replication tasks, use Option 2 to have an EC2 role assume the Redshift IAM role.
Generate the temporary security credentials based on your requirement.
Generate temporary security credential policies for Amazon Redshift
To use the temporary security credentials to connect to Amazon Redshift, both the IAM user and IAM role require policies.
The following section lists the policies required for the IAM user and IAM role:
IAM user
An IAM user must have the sts:AssumeRole policy to use the temporary security credentials in the same or different AWS account. The IAM user credentials are used to key-in the Redshift access key and Redshift secret key in the connection properties.
The following sample policy allows an IAM user to use the temporary security credentials in an AWS account:
The Redshift IAM role policy pertains to the role that is specified in the Redshift IAM Role ARN. An IAM role must have a trust policy attached with it to allow the IAM user to access Redshift using the temporary security credentials.
Minimum permission policies of the Redshift IAM role
The following policy shows the permissions required to the Redshift IAM Role, which will be assumed by an IAM user to connect to the Redshift database using an existing Amazon Redshift user:
The following policy shows the permissions needed to be attached to the Redshift IAM Role, which will be assumed by an IAM user to connect to the Redshift database with a newly created user by the Auto create DBUser check box:
Generate temporary security credentials using AssumeRole for EC2
You can use temporary security credentials using AssumeRole for an Amazon EC2 role to connect to Amazon Redshift from the same or different AWS accounts.
The Amazon EC2 role can assume another IAM role from the same or different AWS account without requiring a Redshift access key and Redshift secret key.
Consider the following prerequisites when you use temporary security credentials using AssumeRole for EC2:
•To use temporary security credentials using AssumeRole for EC2, install the Secure Agent on an AWS service such as Amazon EC2.
•The EC2 role attached to the AWS EC2 service must not have access to Amazon Redshift but needs to have permission to assume another IAM role.
•The IAM role that needs to be assumed by the EC2 role must have a permission policy and a trust policy attached to it.
To configure an EC2 role to assume the IAM Role provided in the Redshift IAM Role ARN connection property, select the Use EC2 Role to Assume Role check box in the connection properties.
EC2 service role trust policy
The following is a sample trust policy that is defined in a trust relationship of the EC2 role attached to the EC2 instance:
The permission policy that is required to be attached to the EC2 instance is same as the policy defined for the IAM user.
Configure an assume role for Amazon S3 staging
To configure AssumeRole authentication for S3 staging, you need to attach the minimum permission policies and trust policies for the IAM user and IAM role in the AWS console.
An IAM user can use the AssumeRole to temporarily gain access to the Amazon S3 resources. For more information about using an assume role for Amazon S3 resources, you can also refer to the How-to-Library article: Using an assume role for Amazon S3 resources
You can generate temporary security credentials using AssumeRole for Amazon S3 staging to access the Amazon S3 staging bucket. If you want EC2 instances to assume an IAM role to gain access to the S3 staging bucket securely, use the temporary security credentials generated using AssumeRole for EC2 instances.
Note: Do not use the root user credentials of the AWS account to generate the temporary security credentials. You need to use the credentials of an IAM user to generate the temporary security credentials.
Generate the temporary security credentials based on your requirement.
Generate temporary security credentials using AssumeRole for Amazon S3 staging
You can use the temporary security credentials using AssumeRole to access the Amazon S3 staging bucket from the same or different AWS accounts.
Ensure that you have the sts:AssumeRole permission and a trust relationship established within the AWS accounts to use the temporary security credentials. The trust relationship is defined in the trust policy of the IAM role when you create the role. The IAM role adds the IAM user as a trusted entity allowing the IAM users to use the temporary security credentials and access the AWS accounts. For more information about how to establish the trust relationship, see the AWS documentation.
When the trusted IAM user requests for the temporary security credentials, the AWS Security Token Service (AWS STS) dynamically generates the temporary security credentials that are valid for a specified period and provides the credentials to the trusted IAM users. The temporary security credentials consist of access key ID, secret access key, and secret token.
To use the dynamically generated temporary security credentials, provide the value of the S3 IAM Role ARN connection property when you create an Amazon Redshift V2 connection. The IAM Role ARN uniquely identifies the AWS resources. Then, specify the time duration in seconds during which you can use the temporarily security credentials in the Temporary Credential Duration advanced source and target properties.
External ID
You can specify the external ID for a more secure access to the Amazon S3 bucket when the Amazon S3 bucket is in a different AWS account than the IAM user or EC2 instance.
Note: Application ingestion and replication and database ingestion and replication tasks do not support use of External ID.
You can optionally specify the external ID in the AssumeRole request to the AWS Security Token Service (STS).
The external ID must be a string. The following sample shows an external ID condition in the assumed IAM role's trust policy:
An IAM role must have a sts:AssumeRole policy and a trust policy attached with the IAM role to allow the IAM user to access the Amazon S3 bucket using the temporary security credentials. The policy specifies the Amazon S3 bucket that the IAM user can access and the actions that the IAM user can perform. The trust policy specifies the IAM user from the AWS account that can access the Amazon S3 bucket.
To use the temporary security credentials with AWS Key Management Service (AWS KMS)-managed customer master key and enable encryption with KMS, you must create a KMS policy.
You can perform the following operations to use the temporary security credentials and enable encryption with KMS:
Generate temporary security credentials using AssumeRole for EC2
You can use temporary security credentials using AssumeRole for an Amazon EC2 role to access the Amazon S3 staging bucket from the same or different AWS accounts.
The Amazon EC2 role can assume another IAM role from the same or different AWS account without requiring a permanent access key and secret key. The Amazon EC2 role can also assume another IAM role from a different region.
Consider the following prerequisites when you use temporary security credentials using AssumeRole for EC2:
•To use temporary security credentials using AssumeRole for EC2, install the Secure Agent on an AWS service such as Amazon EC2.
•The EC2 role attached to the AWS EC2 service must not have access to Amazon S3 but needs to have permission to assume another IAM role.
•The IAM role that needs to be assumed by the EC2 role must have a permission policy and a trust policy attached to it.
To configure an EC2 role to assume the IAM Role provided in the IAM Role ARN connection property, select the Use EC2 Role to Assume Role check box in the connection properties.
Enable encryption
You can enable client-side and server-side encryption in the Amazon Redshift V2 connection for staging data in Amazon S3.
Complete the prerequisites based on the type of encryption that you want to configure in the Amazon Redshift V2 connection.
Client-side encryption
Client-side encryption requires a 256-bit AES encryption key in the Base64 format. You can generate a key using a third-party tool.
Specify the key value in the Master Symmetric Key field when you create an Amazon Redshift V2 connection.
Server-side encryption
To enable server-side encryption, create an AWS Key Management Service (AWS KMS)-managed customer master key.
Generate the customer master key ID for the same region where your Amazon S3 staging bucket resides. For more information about generating a customer master key, see the AWS documentation.
To enable encryption with the customer master key, you need to create a minimal KMS policy. You can specify the customer master key ID when you create an Amazon Redshift V2 connection.
Note: You cannot configure server-side encryption with the master symmetric key and client-side encryption with the customer master key.
Create a minimal policy for using AWS KMS
To use the AWS Key Management Service (AWS KMS)-managed customer master key and enable the encryption with KMS, you must create a KMS policy.
You can perform the following operations to enable encryption with KMS:
Let's configure the Amazon Redshift V2 connection properties to connect to Amazon Redshift.
Before you begin
Before you get started, you'll need to get information from your Amazon Redshift account based on the authentication type you want to configure.
Check out Prepare for authentication to learn about the authentication requirements before you configure a connection.
Connection details
The following table describes the basic connection properties:
Property
Description
Connection Name
Name of the connection. Each connection name must be unique within the organization. Connection names can contain alphanumeric characters, spaces, and the following special characters: _. + -, Maximum length is 255 characters.
Description
Description of the connection. Maximum length is 4000 characters.
Type
Amazon Redshift V2
Runtime Environment
Name of the runtime environment where you want to run tasks.
You cannot run an application ingestion and replication task, database ingestion and replication task, file ingestion and replication task, or streaming ingestion and replication task on a Hosted Agent or serverless runtime environment.
Authentication types
You can configure default and Redshift IAM AssumeRole authentication types to access Amazon Redshift.
Note: Application ingestion and replication tasks and database ingestion and replication tasks do not support Redshift IAM AssumeRole authentication without an EC2 instance.
Select the required authentication method and then configure the authentication-specific parameters.
Default authentication
The following table describes the basic connection properties for default authentication:
Properties
Description
JDBC URL
The JDBC URL to connect to the Amazon Redshift cluster.
You can get the JDBC URL from your Amazon AWS Redshift cluster configuration page.
Enter the JDBC URL in the following format:
jdbc:redshift://<cluster_endpoint>:<port_number>/<database_name>, where the endpoint includes the Redshift cluster name and region.
For example, jdbc:redshift://infa-rs-cluster.abc.us-west-2.redshift.amazonaws.com:5439/rsdb
In the example,
- infa-rs-qa-cluster is the name of the Redshift cluster.
- us-west-2.redshift.amazonaws.com is the Redshift cluster endpoint, which is the US West (Oregon) region.
- 5439 is the port number for the Redshift cluster.
- rsdb is the specific database instance in the Redshift cluster to which you want to connect.
Username
User name of your database instance in the Amazon Redshift cluster.
Password
Password of the Amazon Redshift database user.
Use EC2 Role to Assume Role
Enables the EC2 instance that assumes an S3 IAM role to access the S3 resources to stage data using the temporary security credentials.
The EC2 role must have a policy attached with permissions to assume an S3 IAM role. The S3 IAM role and the EC2 instance can be in the same or different AWS account.
Select the check box to enable the EC2 role to assume an S3 IAM role specified in the S3 IAM Role ARN option to access the S3 resources for staging data.
This property doesn't apply to application ingestion and replication tasks and database ingestion and replication tasks. By default, this check box is not selected.
The Amazon Resource Number (ARN) of the IAM role assumed by the IAM user or EC2 to use the dynamically generated temporary security credentials to stage data in Amazon S3.
This property applies when you want to generate temporary security credentials to access the S3 staging buckets by using either the EC2 instance or the IAM user who assumes the S3 IAM role.
Specify the S3 IAM role name to use the temporary security credentials to access the Amazon S3 staging bucket.
For more information about how to get the ARN of the S3 IAM role, see the AWS documentation.
Note: If you use the connection for application ingestion and replication or database ingestion and replication tasks that use role-based authentication, but not the default role for the AWS cluster, specify an IAM role ARN. If you use the default role, leave this field blank.
Advanced settings
The following table describes the advanced connection properties for default authentication:
Properties
Description
S3 Access Key ID
Access key of the IAM user to access the Amazon S3 staging bucket.
Enter the access key ID when you use the following methods for S3 staging:
- When the IAM user has access to S3 staging.
- When the IAM user who assumes the S3 IAM role uses the temporary security credentials to access S3.
You do not need to enter the S3 access key ID if you use IAM authentication or the assume role for EC2 to access S3.
Note: If you use the connection for application ingestion and replication or database ingestion and replication tasks that use key-based authentication, provide the access key value.
S3 Secret Access Key
Secret access key to access the Amazon S3 staging bucket.
The secret key is associated with the access key and uniquely identifies the account.
Enter the secret access key value when you use following methods for S3 staging:
- When the IAM user has access to S3 staging.
- When the IAM user who assumes the S3 IAM role uses the temporary security credentials to access S3.
You do not need to enter the S3 secret access key if you use IAM authentication or the assume role for EC2 to access S3.
Note: If you use the connection for application ingestion and replication or database ingestion and replication tasks that use key-based authentication, provide the access key value.
S3 VPC Endpoint Type
The type of Amazon Virtual Private Cloud endpoint for Amazon S3.
You can use a VPC endpoint to enable private communication with Amazon S3.
Select one of the following options:
- Default. Select if you do not want to use a VPC endpoint.
- Interface Endpoint. Select to establish private communication with Amazon S3 through an interface endpoint which uses a private IP address from the IP address range of your subnet. It serves as an entry point for traffic destined to an AWS service.
Endpoint DNS Name for Amazon S3
The DNS name for the Amazon S3 interface endpoint.
Replace the asterisk symbol with the bucket keyword in the DNS name.
Enter the DNS name in the following format:
bucket.<DNS name of the interface endpoint>
For example, bucket.vpce-s3.us-west-2.vpce.amazonaws.com
STS VPC Endpoint Type
The type of Amazon Virtual Private Cloud endpoint for AWS Security Token Service.
You can use a VPC endpoint to enable private communication with Amazon Security Token Service.
Select one of the following options:
- Default. Select if you do not want to use a VPC endpoint.
- Interface Endpoint. Select to establish private communication with Amazon Security Token Service through an interface endpoint which uses a private IP address from the IP address range of your subnet.
Endpoint DNS Name for AWS STS
The DNS name for the AWS STS interface endpoint.
For example, vpce-01f22cc14558c241f-s8039x4c.sts.us-west-2.vpce.amazonaws.com
KMS VPC Endpoint Type
The type of Amazon Virtual Private Cloud endpoint for AWS Key Management Service.
You can use a VPC endpoint to enable private communication with Amazon Key Management Service.
Select one of the following options:
- Default. Select if you do not want to use a VPC endpoint.
- Interface Endpoint. Select to establish private communication with Amazon Key Management Service through an interface endpoint which uses a private IP address from the IP address range of your subnet.
Endpoint DNS Name for AWS KMS
The DNS name for the AWS KMS interface endpoint.
For example, vpce-0e722f5c721e19232-g2pkm2r7.kms.us-west-2.vpce.amazonaws.com
External ID
The external ID associated with the IAM role.
You can specify the external ID if you want to provide a more secure access to the Amazon S3 bucket. The Amazon S3 staging bucket and the IAM role can be in the same or different AWS accounts.
If required, you also have the option to specify the external ID in the AssumeRole request to the AWS Security Token Service (STS) using an external ID condition in the assumed IAM role's trust policy.
This property doesn't apply to application ingestion and replication tasks and database ingestion and replication tasks.
Cluster Region
The AWS cluster region in which the Redshift cluster resides.
Select the cluster region from the list if you choose to provide a custom JDBC URL with a different cluster region from that specified in the JDBC URL field property. To continue to use the cluster region name specified in the JDBC URL field property, select None as the cluster region in this property.
You can only read data from or write data to the cluster regions supported by the AWS SDK.
Select one of the following cluster regions:
None
Asia Pacific(Mumbai)
Asia Pacific(Seoul)
Asia Pacific(Singapore)
Asia Pacific(Sydney)
Asia Pacific(Tokyo)
Asia Pacific(Hong Kong)
AWS GovCloud (US)
AWS GovCloud (US-East)
Canada(Central)
China(Bejing)
China(Ningxia)
EU(Ireland)
EU(Frankfurt)
EU(Paris)
EU(Stockholm)
South America(Sao Paulo)
Middle East(Bahrain)
US East(N. Virginia)
US East(Ohio)
US West(N. California)
US West(Oregon)
Default is None.
Note: A region value is required for application ingestion and replication tasks and database ingestion and replication tasks.
Connection Environment SQL
The SQL statement to set up the database environment that applies for the entire session.
Separate multiple values with a semicolon (;).
Specify only the configurations for the database environment in the SQL statement. Do not specify any DDL or DML commands in the SQL statement.
Master Symmetric Key
A 256-bit AES encryption key in the Base64 format that enables client-side encryption to encrypt your data before you send them for staging in Amazon S3.
This property doesn't apply to application ingestion and replication tasks and database ingestion and replication tasks.
Customer Master Key ID
The customer master key ID generated by AWS Key Management Service (AWS KMS) or the ARN of your custom key for cross-account access when you stage data in Amazon S3. The customer master key serves to encrypt your data at the destination before they are saved in Amazon S3.
You can either enter the customer-generated customer master key ID or the default customer master key ID.
This property doesn't apply to application ingestion and replication tasks and database ingestion and replication tasks.
Redshift IAM Authentication via AssumeRole
The Redshift AssumeRole authentication enables the user to assume an IAM role or define an EC2 role configured with required trust policies to generate temporary security credentials to access Amazon Redshift.
Note: For application ingestion and replicationtasks and database ingestion and replication tasks, you must use an EC2 role.
The following table describes the basic connection properties for Redshift IAM AssumeRole authentication:
Properties
Description
JDBC URL
The JDBC URL to connect to the Amazon Redshift cluster.
You can get the JDBC URL from your Amazon AWS Redshift cluster configuration page.
Enter the JDBC URL in the following format:
jdbc:redshift://<cluster_endpoint>:<port_number>/<database_name>, where the endpoint includes the Redshift cluster name and region.
For example, jdbc:redshift://infa-rs-cluster.abc.us-west-2.redshift.amazonaws.com:5439/rsdb
In the example,
- infa-rs-qa-cluster is the name of the Redshift cluster.
- us-west-2.redshift.amazonaws.com is the Redshift cluster endpoint, which is the US West (Oregon) region.
- 5439 is the port number for the Redshift cluster.
- rsdb is the specific database instance in the Redshift cluster to which you want to connect.
Username
User name of your database instance in the Amazon Redshift cluster.
Cluster Identifier
The unique identifier of the cluster that hosts Amazon Redshift.
Specify the Amazon Redshift cluster name.
Database Name
Name of the Amazon Redshift database where the tables that you want to access are stored.
Redshift IAM Role ARN
The Amazon Resource Number (ARN) of the IAM role assumed by EC2 to use the dynamically generated temporary security credentials to access Amazon Redshift.
Enter the Redshift IAM role ARN to access the Amazon Redshift cluster.
Use EC2 Role to Assume Role
Enables the EC2 role to assume an IAM role, either to connect to Redshift or to stage data using the temporary security credentials:
Connect to Redshift with IAM authentication using the EC2 role
Select the check box to enable the EC2 role that assumes a Redshift IAM role specified in the Redshift IAM Role ARN field to access Amazon Redshift.
The EC2 role must have a policy attached with permissions to assume a Redshift IAM role from the same or different account.
Access S3 resources to stage data
Select the check box to enable the EC2 role to assume an S3 IAM role specified in the S3 IAM Role ARN field and dynamically generate the temporary security credentials to access the S3 staging buckets.
The EC2 role must have a policy attached with permissions to assume an S3 IAM role from the same or different AWS account.
S3 IAM Role ARN
The Amazon Resource Number (ARN) of the S3 IAM role assumed by the IAM user or EC2 to use the dynamically generated temporary security credentials to stage data in Amazon S3.
This property applies when you want to generate the temporary security credentials to access the S3 staging buckets by using either the EC2 instance or the IAM user who assumes the S3 IAM role.
Specify the S3 IAM role name to use the temporary security credentials to access the Amazon S3 staging bucket.
For more information about how to get the ARN of the IAM role, see the AWS documentation.
Note: If you use the connection for application ingestion and replication or database ingestion and replication tasks that uses role-based authentication, but not the default role for the AWS cluster, specify an IAM role ARN. If you use the default role, leave this field blank.
Advanced settings
The following table describes the advanced connection properties for Redshift IAM AssumeRole authentication:
Properties
Description
Redshift Access Key ID
The access key of the IAM user that has permissions to assume the Redshift IAM AssumeRole ARN.
This property doesn't apply to Amazon Redshift AssumeRole authentication with EC2 role.
Redshift Secret Access Key
The secret access key of the IAM user that has permissions to assume the Redshift IAM Assume Role ARN.
This property doesn't apply to Amazon Redshift AssumeRole authentication with EC2 role.
Database Group
The name of the database group to which you want to add the database user when you select the Auto Create DBUser option in this connection property.
The user that you add to this database group inherits the specified group privileges.
If you do not specify a database group name, the user is added to the public group and inherits its associated privileges.
You can also enter multiple database groups, separated by a comma, to add the user to each of the specified database groups.
Expiration Time
The time duration that the password for the Amazon Redshift database user expires.
Specify a value between 900 seconds and 3600 seconds.
Default is 900.
Auto Create DBUser
Select to create a new Amazon Redshift database user at run time.
The agent adds the user you specified in the Username field to the database group. The added user assumes the privileges assigned to the database group.
Default is disabled.
S3 Access Key ID
Access key of the IAM user to access the Amazon S3 staging bucket.
Enter the access key ID when you use the following methods for S3 staging:
- When the IAM user has access to S3 staging.
- When the IAM user who assumes the S3 IAM role uses the temporary security credentials to access S3.
You do not need to enter the S3 access key ID if you use IAM authentication or the assume role for EC2 to access S3.
Note: If you use the connection for application ingestion and replication or database ingestion and replication tasks that use key-based authentication, provide the access key value.
S3 Secret Access Key
Secret access key to access the Amazon S3 staging bucket.
The secret key is associated with the access key and uniquely identifies the account.
Enter the secret access key value when you use following methods for S3 staging:
- When the IAM user has access to S3 staging.
- When the IAM user who assumes the S3 IAM role uses the temporary security credentials to access S3.
You do not need to enter the S3 secret access key if you use IAM authentication or the assume role for EC2 to access S3.
Note: If you use the connection for application ingestion and replication or database ingestion and replication tasks that use key-based authentication, provide the access key value.
S3 VPC Endpoint Type
The type of Amazon Virtual Private Cloud endpoint for Amazon S3.
You can use a VPC endpoint to enable private communication with Amazon S3.
Select one of the following options:
- Default. Select if you do not want to use a VPC endpoint.
- Interface Endpoint. Select to establish private communication with Amazon S3 through an interface endpoint which uses a private IP address from the IP address range of your subnet. It serves as an entry point for traffic destined to an AWS service.
Endpoint DNS Name for Amazon S3
The DNS name for the Amazon S3 interface endpoint.
Replace the asterisk symbol with the bucket keyword in the DNS name.
Enter the DNS name in the following format:
bucket.<DNS name of the interface endpoint>
For example, bucket.vpce-s3.us-west-2.vpce.amazonaws.com
STS VPC Endpoint Type
The type of Amazon Virtual Private Cloud endpoint for AWS Security Token Service.
You can use a VPC endpoint to enable private communication with Amazon Security Token Service.
Select one of the following options:
- Default. Select if you do not want to use a VPC endpoint.
- Interface Endpoint. Select to establish private communication with Amazon Security Token Service through an interface endpoint which uses a private IP address from the IP address range of your subnet.
Endpoint DNS Name for AWS STS
The DNS name for the AWS STS interface endpoint.
For example, vpce-01f22cc14558c241f-s8039x4c.sts.us-west-2.vpce.amazonaws.com
KMS VPC Endpoint Type
The type of Amazon Virtual Private Cloud endpoint for AWS Key Management Service.
You can use a VPC endpoint to enable private communication with Amazon Key Management Service.
Select one of the following options:
- Default. Select if you do not want to use a VPC endpoint.
- Interface Endpoint. Select to establish private communication with Amazon Key Management Service through an interface endpoint which uses a private IP address from the IP address range of your subnet.
Endpoint DNS Name for AWS KMS
The DNS name for the AWS KMS interface endpoint.
For example, vpce-0e722f5c721e19232-g2pkm2r7.kms.us-west-2.vpce.amazonaws.com
External ID
The external ID associated with the IAM role.
You can specify the external ID if you want to provide a more secure access to the Amazon S3 bucket when the Amazon S3 staging bucket is in same or different AWS accounts.
If required, you also have the option to specify the external ID in the AssumeRole request to the AWS Security Token Service (STS) using an external ID condition in the assumed IAM role's trust policy.
This property doesn't apply to application ingestion and replication tasks and database ingestion and replication tasks.
Cluster Region
The AWS geographical region in which the Redshift cluster resides.
Select the cluster region from the list if you choose to provide a custom JDBC URL with a different cluster region from that specified in the JDBC URL field property. To continue to use the cluster region name specified in the JDBC URL field property, select None as the cluster region in this property.
You can only read data from or write data to the cluster regions supported by the AWS SDK.
Select one of the following cluster regions:
None
Asia Pacific(Mumbai)
Asia Pacific(Seoul)
Asia Pacific(Singapore)
Asia Pacific(Sydney)
Asia Pacific(Tokyo)
Asia Pacific(Hong Kong)
AWS GovCloud (US)
AWS GovCloud (US-East)
Canada(Central)
China(Bejing)
China(Ningxia)
EU(Ireland)
EU(Frankfurt)
EU(Paris)
EU(Stockholm)
South America(Sao Paulo)
Middle East(Bahrain)
US East(N. Virginia)
US East(Ohio)
US West(N. California)
US West(Oregon)
Default is None.
Note: A region value is required for application ingestion and replication tasks and database ingestion and replication tasks.
Connection Environment SQL
The SQL statement to set up the database environment that applies for the entire session.
Separate multiple values with a semicolon (;).
Specify only the configurations for the database environment in the SQL statement. Do not specify any DDL or DML commands in the SQL statement.
Master Symmetric Key
A 256-bit AES encryption key in the Base64 format that enables client-side encryption to encrypt your data before you send them for staging in Amazon S3.
This property doesn't apply to application ingestion and replication tasks and database ingestion and replication tasks.
Customer Master Key ID
The customer master key ID generated by AWS Key Management Service (AWS KMS) or the ARN of your custom key for cross-account access when you stage data in Amazon S3. The customer master key serves to encrypt your data at the destination before they are saved in Amazon S3.
You can either enter the customer-generated customer master key ID or the default customer master key ID.
For more information about how to configure server-side encryption, see Enable encryption.
This property doesn't apply to application ingestion and replication tasks and database ingestion and replication tasks.
Proxy server settings
If your organization uses an outgoing proxy server to connect to the Internet, the Secure Agent connects to Informatica Intelligent Cloud Services through the proxy server.
You can configure the Secure Agent to use the proxy server on Windows and Linux. You can use only an unauthenticated proxy server.
To configure the proxy settings for the Secure Agent, use one of the following methods:
•Configure the Secure Agent through the Secure Agent Manager on Windows or shell command on Linux.
•Configure the JVM options for the DTM in the Secure Agent properties. For instructions, see the Proxy server settings Knowledge Base article.
Note: If you enable both HTTP and SOCKS proxies, SOCKS proxy is used by default. If you want to use HTTP proxy instead of SOCKS proxy, set the value of the DisableSocksProxy property to true in the System property.
Private communication with Amazon Redshift
If you do not want to expose your traffic to the public internet, you can enable private communication with Amazon Redshift by configuring a gateway endpoint on the AWS console.
To establish a private connection with Amazon Redshift, ensure that the Secure Agent is a part of the subnet in the AWS Virtual Private Cloud (VPC). You can create a gateway endpoint and stage the Amazon S3 data to Amazon Redshift.
To configure private communication to connect to Amazon Redshift, you need to perform the following tasks:
•Create a cluster subnet group.
•Create a Redshift-managed VPC endpoint.
•Configure the gateway endpoint.
You can then specify the gateway endpoint in the Amazon Redshift V2 connection properties.