Configure Redshift IAM role
Overview
Redshift IAM Role Authentication offers an additional layer of security by leveraging AWS IAM roles. This method eliminates the need to expose your Redshift cluster credentials, providing enhanced control and reducing the risk of credential compromise.
With Redshift IAM Role Authentication, Connector automatically manages the rotation of temporary credentials for each connection, ensuring that security is maintained without manual intervention.
Goals
The goals of implementing Redshift IAM Role Authentication in Connector are as follows:
- Enhanced Security: Eliminate the need to expose your Redshift cluster credentials, reducing the risk of credential compromise.
- Automated Credential Rotation: Enjoy automatic management and rotation of temporary credentials by Connector, ensuring consistent security without manual intervention.
- Granular Access Control: Provide temporary and scoped access to Connector for specific actions on your Redshift resources.
Prerequisites
Before configuring Redshift IAM Role Authentication, ensure the following prerequisites are met:
- Basic understanding of AWS Identity and Access Management (IAM) concepts.
- A running Amazon Redshift cluster to which you want to grant Connector access.
- Access to the Admin Portal to retrieve IAM policy and trust relationship templates.
To configure Redshift IAM Role Authentication, follow the steps outlined below.
Step-by-Step configuration
Create an IAM Role:
In your AWS subaccount, create an IAM role for Connector with the following tag:
- Key:
accelbyte-service
- Value:
accelbyte-analytics-connector-service
- Key:
Create and Attach a Policy:
Create a policy based on the template provided in the Admin Portal. This policy grants Connector the necessary permissions to interact with your Redshift resources. Attach this policy to the IAM role created in the previous step.
Policy Template:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRedshift",
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials"
],
"Resource": "*"
}
]
}Implement Trust Relationship
Implement the trust relationship in your AWS role based on the template provided in the Admin Portal. This trust relationship allows cross-access between services and ensures that Connector can assume the IAM role.
Trust Relationship Template:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCrossAccess",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<accelbyte-aws-account-id>:root"
},
"Action": [
"sts:AssumeRole"
],
"Condition": {
"StringEquals": {
"sts:ExternalId": "<external-id>"
}
}
}
]
}Save the AWS Role ARN
Save the AWS Role ARN that you just created, the arn has the format
arn:aws:iam::<aws-account-id>:role/<role-name>
. Later it will be used in the Redshift connector configuration.