Amazon Redshift Connector Guide > Introduction to Amazon Redshift Connector > Administration of Amazon Redshift Connector

Administration of Amazon Redshift Connector

As a user, you can use Amazon Redshift Connector after the organization administrator ensures that users have access to the Secure Agent directory that contains the success and error files. This directory path must be the same on each Secure Agent machine in the runtime environment. The organization administrator must also perform the following tasks:

•Mandatory. Get the Amazon Redshift JDBC URL.
•Mandatory. Manage Authentication. Use either of the following two methods:

- Create an Access Key ID and Secret Access Key. Applicable when Secure Agent is not installed on Amazon Elastic Compute Cloud (EC2) system and you want to run tasks on Secure Agent. Provide the values for Access Key ID and Secret Access Key when you configure the Amazon Redshift connection.
- Configure AWS Identity and Access Management (IAM) Authentication. For enhanced security. Applicable when you install Secure Agent on Amazon EC2 system and you want to run tasks on Secure Agent installed on the EC2 system. If you use IAM authentication, do not provide Access Key ID and Secret Access Key explicitly in the Amazon Redshift connection. Instead, you must create an Redshift Role Amazon Resource Name (ARN), add the minimal Amazon S3 bucket policy to the Redshift Role ARN, and add the Redshift Role ARN to the Redshift cluster.

Provide the Redshift Role ARN in the AWS_IAM_ROLE option in the UNLOAD and COPY commands when you create a task.

If you specify both, Access Key ID and Secret Access Key in the connection properties and AWS_IAM_ROLE in the UNLOAD and COPY commands, AWS_IAM_ROLE takes the precedence.

You must add IAM EC2 role and IAM Redshift role to the customer master key when you use IAM authentication and server-side encryption using customer master key.

Hosted Agent does not support IAM authentication. For more information about how to configure IAM authentication for Amazon Redshift connector, see IAM Authentication

•Optional. Configure Amazon Redshift for SSL.
•Optional. Create a master symmetric key to enable client-side encryption.
•Optional. Create an AWS Key Management Service (AWS KMS)-managed customer master key to enable server-side encryption.
•Optional. Create minimal Amazon S3 bucket policy for Amazon Redshift Connector.

Get the Amazon Redshift JDBC URL

1. Log in to Amazon Web Services management console and navigate to the Amazon Redshift management section.

2. Click Clusters.

3. Copy the JDBC URL listed in the Cluster Database Properties section to a notepad file and save the file.

Create Minimal Amazon S3 Bucket Policy

The minimal Amazon S3 bucket policy ensures Amazon Redshift performs read and write operations successfully.

You can restrict user operations and user access to particular Amazon S3 buckets by assigning an AWS IAM policy to users. Configure the AWS IAM policy through the AWS console. Following are the minimum required permissions for users to successfully read data from and write data to Amazon Redshift resources.

•PutObject
•GetObject
•GetObjectVersion
•DeleteObject
•DeleteObjectVersion
•ListBucket
•GetBucketPolicy

Sample Policy:

{

"Version": "2012-10-17", "Statement": [

{ "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:GetObjectVersion", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:ListBucket", "s3:GetBucketPolicy" ], "Resource": [ "arn:aws:s3:::<specify_bucket_name>/*", "arn:aws:s3:::<specify_bucket_name>" ] }

]

}

You must make sure that the Amazon S3 bucket and Amazon Redshift cluster reside in the same region to run a session successfully.

The supported regions are:

•Asia Pacific (Mumbai)
•Asia Pacific (Seoul)
•Asia Pacific (Singapore)
•Asia Pacific (Sydney)
•Asia Pacific (Tokyo)
•AWS GovCloud
•Canada (Central)
•China (Bejing)
•EU (Ireland)
•EU (Frankfurt)
•South America (Sao Paulo)
•US East (N. Virginia)
•US East (Ohio)
•US West (N. California)
•US West (Oregon)

IAM Authentication

Optional. You can configure IAM authentication when on an Amazon Elastic Compute Cloud (EC2) system. Use IAM authentication for secure and controlled access to Amazon Redshift resources when you run

Use IAM authentication when you want to run on an EC2 system. Perform the following steps to configure IAM authentication:

•Step 1: Create Minimal Amazon S3 Bucket Policy. For more information, see Create Minimal Amazon S3 Bucket Policy.
•Step 2: Create the Amazon EC2 role. For more information, see Create the Amazon EC2 Role
•Step 3: Create an EC2 instance. Assign the Amazon EC2 role that you created in step #2 to the EC2 instance.
•Step 4: Create the Amazon Redshift Role ARN. For more information, see Create the Amazon Redshift Role
•Step 5: Add the Amazon Redshift Role ARN to the Amazon Redshift cluster. For more information, see Add Amazon Redshift Role to the Redshift Cluster
•Step 6: Install on the EC2 system.

Create the Amazon EC2 Role

The Amazon EC2 role is used when you create an EC2 system in the Redshift cluster.

Perform the following steps to create the Amazon EC2 role:

1. Log in to the AWS Console.
2. Click Identity & Access Management.
3. Select Role under the Details menu and click Create New Role.
4. Specify the name of the role in the Set Role Name page.
5. Click Next Step.
6. Select the Amazon EC2 role type in the Select Role Type page.
7. Select the required Amazon S3 policy in the Attach Policy page.
8. Click Next Step.
9. Review the Role Name, Role ARN, Trusted Entities, and Policies values in the Review page.
10. Click Create Role.

After creating the Amazon EC2 role, create an EC2 instance. Assign the Amazon EC2 role to the EC2 instance.

Create the Amazon Redshift Role

Use Amazon Redshift Role for secure access to Amazon Redshift resources.

Perform the following steps to create the Amazon Redshift Role:

1. Log in to the AWS Console.
2. Click Identity & Access Management.
3. Select Role under the Details menu and click Create New Role.
4. Specify the name of the role in the Set Role Name page.
5. Click Next Step.
6. Select the Amazon Redshift role type in the Select Role Type page.
7. Select the required Amazon S3 policy in the Attach Policy page.
8. Click Next Step.
9. Review the Role Name, Role ARN, Trusted Entities, and Policies values in the Review page.
10. Click Create Role.

After you create the Amazon Redshift Role, verify that you assign this role to the Amazon Redshift cluster to successfully perform the read and write operations.

You can use the Role ARN in the UNLOAD and COPY commands.

Add Amazon Redshift Role to the Redshift Cluster

Perform the following steps to add the Amazon Redshift Role to the Redshift cluster:

1. Log in to the AWS Console.
2. Click Redshift under the Database option.
3. Click Clusters under Dashboard and select your cluster.
4. Click Manage IAM Roles. The Manage IAM roles dialog box displays.
5. Select the required Amazon Redshift role.
6. Click Apply changes.

After you add the Amazon Redshift Role to the Redshift cluster, install on the EC2 instance.

Configure Amazon Redshift for SSL

You can configure the Secure Agent to support an SSL connection to Amazon Redshift.

1. Download the Amazon Redshift certificate from the following location: https://s3.amazonaws.com/redshift-downloads/redshift-ssl-ca-cert.pem.

2. Run the following command to add the certificate file to the key store: ${JAVA_HOME}/bin/keytool –keystore {JAVA_HOME}/lib/security/cacerts -import -alias <string_value> -file <certificate_filepath>.

3. In Administrator, select Runtime Environments.

4. Select the Secure Agent for which you want to increase memory from the list of available Secure Agents.

5. In the upper-right corner, click Edit.

6. In the System Configuration Details section, change the Type to DTM.

7. Click the Edit Agent Configuration icon next to JVMOption1 and add the following command: - Djavax.net.ssl.trustStore=<keystore_name>.

8. Click the Edit Agent Configuration icon next to JVMOption2 and add the following command:- Djavax.net.ssl.trustStorePassword=<password>.

9. Add the following parameter to the JDBC URL you specified in your Amazon Redshift connection properties: ssl=true. For example, jdbc:redshift://mycluster.xyz789.us-west- 2.redshift.amazonaws.com:5439/dev?ssl=true.

10. Click OK to save your changes.