Configure an assume role for Amazon Redshift

Generate temporary security credential policies for Amazon Redshift

IAM user

An IAM user must have the sts:AssumeRole policy to use the temporary security credentials in the same or different AWS account. The IAM user credentials are used to key-in the Redshift access key and Redshift secret key in the connection properties.

The following sample policy allows an IAM user to use the temporary security credentials in an AWS account:

{
"Version":"2012-10-17",
"Statement":
{ "Effect":"Allow",
"Action":"sts:AssumeRole",
"Resource":"arn:aws:iam::<ACCOUNT-HYPHENS>:role/<REDSHIFT-IAM-ROLE-NAME>"
}
}

Redshift IAM role trust policy

The Redshift IAM role policy pertains to the role that is specified in the Redshift IAM Role ARN. An IAM role must have a trust policy attached with it to allow the IAM user to access Redshift using the temporary security credentials.

The following policy is a sample trust policy:

{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{ "AWS":"arn:aws:iam::AWS-account-ID:<IAM-USER>" },
"Action":"sts:AssumeRole"
}
]
}
}

For example, you can specify the role or user in the following format:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AWS-account>:role/<name-of-the-role>"
},
"Action": "sts:AssumeRole"
}
]
}


{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": " arn:aws:iam::<AWS-account>:user/<name-of-the-user>"
},
"Action": "sts:AssumeRole"
}
]
}

Minimum permission policies of the Redshift IAM role

The following policy shows the permissions required to the Redshift IAM Role, which will be assumed by an IAM user to connect to the Redshift database using an existing Amazon Redshift user:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials",

"redshift:DescribeClusters"
],

"Resource": [
"arn:aws:redshift:<REGION>:<ACCOUNT-ID>:dbuser:<Cluster_Identifier>/<USER_NAME>",

"arn:aws:redshift:<REGION>:<ACCOUNT-ID>:dbname:<Cluster_Identifier>/<DATABASE_NAME>"

]

}
}
]
}
}

The following policy shows the permissions needed to be attached to the Redshift IAM Role, which will be assumed by an IAM user to connect to the Redshift database with a newly created user by the Auto create DBUser check box:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [
"redshift:GetClusterCredentials",

"redshift:DescribeClusters",

"redshift:CreateClusterUser",

"redshift:JoinGroup"
],

"Resource": [
"arn:aws:redshift:<REGION>:<ACCOUNT-ID>:dbuser:<Cluster_Identifier>/<USER_NAME>",

"arn:aws:redshift:<REGION>:<ACCOUNT-ID>:dbname:<Cluster_Identifier>/<DATABASE_NAME>",

"arn:aws:redshift:<REGION>:<ACCOUNT-ID>:dbgroup:<Cluster_Identifier>/<GROUP_NAME>"
]
}

}

]

}