Configure Redshift IAM role
Overview
Redshift IAM Role Authentication offers an additional layer of security by leveraging AWS IAM roles. This method eliminates the need to expose your Redshift cluster credentials, providing enhanced control and reducing the risk of credential compromise.
With Redshift IAM Role Authentication, Connector automatically manages the rotation of temporary credentials for each connection, ensuring that security is maintained without manual intervention.
Goals
The goals of implementing Redshift IAM Role Authentication in Connector are as follows:
- Enhanced Security: Eliminate the need to expose your Redshift cluster credentials, reducing the risk of credential compromise.
- Automated Credential Rotation: Enjoy automatic management and rotation of temporary credentials by Connector, ensuring consistent security without manual intervention.
- Granular Access Control: Provide temporary and scoped access to Connector for specific actions on your Redshift resources.
Prerequisites
Before configuring Redshift IAM Role Authentication, ensure the following prerequisites are met:
- Basic understanding of AWS Identity and Access Management (IAM) concepts.
- A running Amazon Redshift cluster to which you want to grant Connector access.
- Access to the Admin Portal to retrieve IAM policy and trust relationship templates.
To configure Redshift IAM Role Authentication, follow the steps outlined below.
Step-by-Step configuration
Create IAM Policy:
Create a policy based on the template provided in the Admin Portal. This policy grants Connector the necessary permissions to interact with your Redshift resources. Later, attach this policy to the IAM role created.
Choose one between redshift or redshift-serverless based on your Redshift cluster type.
Policy Template:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRedshift",
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials",
"redshift-serverless:GetCredentials"
],
"Resource": "*"
}
]
}**Create an IAM Role
Choose custom trust policy and implement the trust policy in your AWS role based on the template provided in the Admin Portal. This trust relationship policy allows cross-access between services and ensures that Connector can assume the IAM role.
Trust Relationship Policy Template:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCrossAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<accelbyte-aws-account-id>:root"
},
"Action": [
"sts:AssumeRole"
],
"Condition": {
"StringEquals": {
"sts:ExternalId": "<external-id>"
}
}
}
]
}Attach the policy created to the IAM role.
Review the IAM role and click Create role.
Add tags to the IAM Role:
Add the following tags to the IAM role to ensure that Connector can identify the role:
- Key:
accelbyte-service
- Value:
accelbyte-analytics-connector-service
- Key:
Save the AWS Role ARN
Save the AWS Role ARN that you just created, the arn has the format
arn:aws:iam::<aws-account-id>:role/<role-name>
. Later it will be used in the Redshift connector configuration.Enable Publicly Accessible on the Redshift Cluster:
Ensure that your Redshift cluster is publicly accessible. If your Redshift cluster is not publicly accessible, you can enable it by modifying the cluster settings in the AWS Management Console.
Add Inbound Rules to the Redshift Cluster Security Group:
Add inbound rules with the type of
Redshift
and sourceAnywhere-IPv4
(0.0.0.0/0) to the Redshift cluster security group to allow traffic from the Connector service.