Actions, resources, and condition keys for Amazon Redshift - Service Authorization Reference

Actions, resources, and condition keys for Amazon Redshift

Amazon Redshift (service prefix: redshift) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Redshift

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AcceptReservedNodeExchange Grants permission to exchange a DC1 reserved node for a DC2 reserved node with no changes to the configuration Write
AddPartner Grants permission to add a partner integration to a cluster Write
AssociateDataShareConsumer Grants permission to associate a consumer to a datashare Write

datashare*

redshift:ConsumerArn

redshift:AllowWrites

AuthorizeClusterSecurityGroupIngress Grants permission to add an inbound (ingress) rule to an Amazon Redshift security group Write

securitygroup*

securitygroupingress-ec2securitygroup*

AuthorizeDataShare Grants permission to authorize the specified datashare consumer to consume a datashare Permissions management

datashare*

redshift:ConsumerIdentifier

redshift:AllowWrites

AuthorizeEndpointAccess Grants permission to authorize endpoint related activities for redshift-managed vpc endpoint Permissions management
AuthorizeSnapshotAccess Grants permission to the specified AWS account to restore a snapshot Permissions management

snapshot*

BatchDeleteClusterSnapshots Grants permission to delete snapshots in a batch of size upto 100 Write

snapshot*

BatchModifyClusterSnapshots Grants permission to modify settings for a list of snapshots Write

snapshot*

CancelQuery [permission only] Grants permission to cancel a query through the Amazon Redshift console Write
CancelQuerySession [permission only] Grants permission to see queries in the Amazon Redshift console Write
CancelResize Grants permission to cancel a resize operation Write

cluster*

CopyClusterSnapshot Grants permission to copy a cluster snapshot Write

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAuthenticationProfile Grants permission to create an Amazon Redshift authentication profile Write
CreateCluster Grants permission to create a cluster Write

cluster*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateClusterParameterGroup Grants permission to create an Amazon Redshift parameter group Write

parametergroup*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateClusterSecurityGroup Grants permission to create an Amazon Redshift security group Write

securitygroup*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateClusterSnapshot Grants permission to create a manual snapshot of the specified cluster Write

snapshot*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateClusterSubnetGroup Grants permission to create an Amazon Redshift subnet group Write

subnetgroup*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateClusterUser Grants permission to automatically create the specified Amazon Redshift user if it does not exist Permissions management

dbuser*

redshift:DbUser

CreateCustomDomainAssociation Grants permission to create a custom domain name for a cluster Write

cluster*

acm:DescribeCertificate

CreateEndpointAccess Grants permission to create a redshift-managed vpc endpoint Write
CreateEventSubscription Grants permission to create an Amazon Redshift event notification subscription Write

eventsubscription*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateHsmClientCertificate Grants permission to create an HSM client certificate that a cluster uses to connect to an HSM Write

hsmclientcertificate*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateHsmConfiguration Grants permission to create an HSM configuration that contains information required by a cluster to store and use database encryption keys in a hardware security module (HSM) Write

hsmconfiguration*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateQev2IdcApplication [permission only] Grants permission to create a qev2 idc application Write

sso:CreateApplication

sso:PutApplicationAccessScope

sso:PutApplicationAuthenticationMethod

sso:PutApplicationGrant

CreateRedshiftIdcApplication Grants permission to create a redshift idc application Write

sso:CreateApplication

sso:PutApplicationAccessScope

sso:PutApplicationAuthenticationMethod

sso:PutApplicationGrant

CreateSavedQuery [permission only] Grants permission to create saved SQL queries through the Amazon Redshift console Write
CreateScheduledAction Grants permission to create an Amazon Redshift scheduled action Write
CreateSnapshotCopyGrant Grants permission to create a snapshot copy grant and encrypt copied snapshots in a destination AWS Region Permissions management

snapshotcopygrant*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateSnapshotSchedule Grants permission to create a snapshot schedule Write

snapshotschedule*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateTags Grants permission to add one or more tags to a specified resource Tagging

cluster

dbgroup

dbname

dbuser

eventsubscription

hsmclientcertificate

hsmconfiguration

parametergroup

securitygroup

securitygroupingress-cidr

securitygroupingress-ec2securitygroup

snapshot

snapshotcopygrant

snapshotschedule

subnetgroup

usagelimit

aws:RequestTag/${TagKey}

aws:TagKeys

CreateUsageLimit Grants permission to create a usage limit Write

usagelimit*

aws:RequestTag/${TagKey}

aws:TagKeys

DeauthorizeDataShare Grants permission to remove permission from the specified datashare consumer to consume a datashare Permissions management

datashare*

redshift:ConsumerIdentifier

DeleteAuthenticationProfile Grants permission to delete an Amazon Redshift authentication profile Write
DeleteCluster Grants permission to delete a previously provisioned cluster Write

cluster*

DeleteClusterParameterGroup Grants permission to delete an Amazon Redshift parameter group Write

parametergroup*

DeleteClusterSecurityGroup Grants permission to delete an Amazon Redshift security group Write

securitygroup*

DeleteClusterSnapshot Grants permission to delete a manual snapshot Write

snapshot*

DeleteClusterSubnetGroup Grants permission to delete a cluster subnet group Write

subnetgroup*

DeleteCustomDomainAssociation Grants permission to delete a custom domain name for a cluster Write

cluster*

DeleteEndpointAccess Grants permission to delete a redshift-managed vpc endpoint Write
DeleteEventSubscription Grants permission to delete an Amazon Redshift event notification subscription Write

eventsubscription*

DeleteHsmClientCertificate Grants permission to delete an HSM client certificate Write

hsmclientcertificate*

DeleteHsmConfiguration Grants permission to delete an Amazon Redshift HSM configuration Write

hsmconfiguration*

DeletePartner Grants permission to delete a partner integration from a cluster Write
DeleteQev2IdcApplication [permission only] Grants permission to delete a qev2 idc application Write

qev2idcapplication*

sso:DeleteApplication

DeleteRedshiftIdcApplication Grants permission to delete a redshift idc application Write

redshiftidcapplication*

sso:DeleteApplication

DeleteResourcePolicy Grants permission to delete the resource policy for a specified resource Permissions management

namespace*

DeleteSavedQueries [permission only] Grants permission to delete saved SQL queries through the Amazon Redshift console Write
DeleteScheduledAction Grants permission to delete an Amazon Redshift scheduled action Write
DeleteSnapshotCopyGrant Grants permission to delete a snapshot copy grant Write

snapshotcopygrant*

DeleteSnapshotSchedule Grants permission to delete a snapshot schedule Write

snapshotschedule*

DeleteTags Grants permission to delete a tag or tags from a resource Tagging

cluster

dbgroup

dbname

dbuser

eventsubscription

hsmclientcertificate

hsmconfiguration

parametergroup

securitygroup

securitygroupingress-cidr

securitygroupingress-ec2securitygroup

snapshot

snapshotcopygrant

snapshotschedule

subnetgroup

usagelimit

aws:TagKeys

DeleteUsageLimit Grants permission to delete a usage limit Write

usagelimit*

DescribeAccountAttributes Grants permission to describe attributes attached to the specified AWS account Read
DescribeAuthenticationProfiles Grants permission to describe created Amazon Redshift authentication profiles Read
DescribeClusterDbRevisions Grants permission to describe database revisions for a cluster List
DescribeClusterParameterGroups Grants permission to describe Amazon Redshift parameter groups, including parameter groups you created and the default parameter group Read
DescribeClusterParameters Grants permission to describe parameters contained within an Amazon Redshift parameter group Read

parametergroup*

DescribeClusterSecurityGroups Grants permission to describe Amazon Redshift security groups Read
DescribeClusterSnapshots Grants permission to describe one or more snapshot objects, which contain metadata about your cluster snapshots Read
DescribeClusterSubnetGroups Grants permission to describe one or more cluster subnet group objects, which contain metadata about your cluster subnet groups Read
DescribeClusterTracks Grants permission to describe available maintenance tracks List
DescribeClusterVersions Grants permission to describe available Amazon Redshift cluster versions Read
DescribeClusters Grants permission to describe properties of provisioned clusters List
DescribeCustomDomainAssociations Grants permission to describe custom domain names for a cluster List
DescribeDataShares Grants permission to describe datashares created and consumed by your clusters Read
DescribeDataSharesForConsumer Grants permission to describe only datashares consumed by your clusters Read
DescribeDataSharesForProducer Grants permission to describe only datashares created by your clusters Read
DescribeDefaultClusterParameters Grants permission to describe parameter settings for a parameter group family Read
DescribeEndpointAccess Grants permission to describe redshift-managed vpc endpoints Read
DescribeEndpointAuthorization Grants permission to authorize describe activity for redshift-managed vpc endpoint List
DescribeEventCategories Grants permission to describe event categories for all event source types, or for a specified source type Read
DescribeEventSubscriptions Grants permission to describe Amazon Redshift event notification subscriptions for the specified AWS account Read
DescribeEvents Grants permission to describe events related to clusters, security groups, snapshots, and parameter groups for the past 14 days List
DescribeHsmClientCertificates Grants permission to describe HSM client certificates Read
DescribeHsmConfigurations Grants permission to describe Amazon Redshift HSM configurations Read
DescribeInboundIntegrations Grants permission to list the inbound integrations List

redshift:InboundIntegrationArn

DescribeLoggingStatus Grants permission to describe whether information, such as queries and connection attempts, is being logged for a cluster Read

cluster*

DescribeNodeConfigurationOptions Grants permission to describe properties of possible node configurations such as node type, number of nodes, and disk usage for the specified action type List
DescribeOrderableClusterOptions Grants permission to describe orderable cluster options Read
DescribePartners Grants permission to retrieve information about the partner integrations defined for a cluster Read
DescribeQev2IdcApplications [permission only] Grants permission to describe qev2 idc applications List
DescribeQuery [permission only] Grants permission to describe a query through the Amazon Redshift console Read
DescribeRedshiftIdcApplications Grants permission to describe redshift idc applications List

sso:GetApplicationGrant

sso:ListApplicationAccessScopes

DescribeReservedNodeExchangeStatus Grants permission to describe exchange status details and associated metadata for a reserved-node exchange. Statuses include such values as in progress and requested Read
DescribeReservedNodeOfferings Grants permission to describe available reserved node offerings by Amazon Redshift Read
DescribeReservedNodes Grants permission to describe the reserved nodes Read
DescribeResize Grants permission to describe the last resize operation for a cluster Read

cluster*

DescribeSavedQueries [permission only] Grants permission to describe saved queries through the Amazon Redshift console Read
DescribeScheduledActions Grants permission to describe created Amazon Redshift scheduled actions Read
DescribeSnapshotCopyGrants Grants permission to describe snapshot copy grants owned by the specified AWS account in the destination AWS Region Read
DescribeSnapshotSchedules Grants permission to describe snapshot schedules Read

snapshotschedule*

DescribeStorage Grants permission to describe account level backups storage size and provisional storage Read
DescribeTable [permission only] Grants permission to describe a table through the Amazon Redshift console Read
DescribeTableRestoreStatus Grants permission to describe status of one or more table restore requests made using the RestoreTableFromClusterSnapshot API action Read
DescribeTags Grants permission to describe tags Read

cluster

dbgroup

dbname

dbuser

eventsubscription

hsmclientcertificate

hsmconfiguration

parametergroup

securitygroup

securitygroupingress-cidr

securitygroupingress-ec2securitygroup

snapshot

snapshotcopygrant

snapshotschedule

subnetgroup

usagelimit

DescribeUsageLimits Grants permission to describe usage limits Read

usagelimit*

DisableLogging Grants permission to disable logging information, such as queries and connection attempts, for a cluster Write

cluster*

DisableSnapshotCopy Grants permission to disable the automatic copy of snapshots for a cluster Write

cluster*

DisassociateDataShareConsumer Grants permission to disassociate a consumer from a datashare Write

datashare*

redshift:ConsumerArn

EnableLogging Grants permission to enable logging information, such as queries and connection attempts, for a cluster Write

cluster*

EnableSnapshotCopy Grants permission to enable the automatic copy of snapshots for a cluster Write

cluster*

ExecuteQuery [permission only] Grants permission to execute a query through the Amazon Redshift console Write
FailoverPrimaryCompute Grants permission to failover the primary compute of an Multi-AZ cluster to another AZ Write

cluster*

FetchResults [permission only] Grants permission to fetch query results through the Amazon Redshift console Read
GetClusterCredentials Grants permission to get temporary credentials to access an Amazon Redshift database by the specified AWS account Write

dbuser*

dbgroup

dbname

redshift:DbName

redshift:DbUser

redshift:DurationSeconds

GetClusterCredentialsWithIAM Grants permission to get enhanced temporary credentials to access an Amazon Redshift database by the specified AWS account Write

dbname

redshift:DbName

redshift:DurationSeconds

GetReservedNodeExchangeConfigurationOptions Grants permission to get the configuration options for the reserved-node exchange Read
GetReservedNodeExchangeOfferings Grants permission to get an array of DC2 ReservedNodeOfferings that matches the payment type, term, and usage price of the given DC1 reserved node Read
GetResourcePolicy Grants permission to get the resource policy for a specified resource Read

namespace*

JoinGroup Grants permission to join the specified Amazon Redshift group Permissions management

dbgroup*

ListDatabases [permission only] Grants permission to list databases through the Amazon Redshift console List
ListRecommendations Grants permission to list Advisor recommendations List
ListSavedQueries [permission only] Grants permission to list saved queries through the Amazon Redshift console List
ListSchemas [permission only] Grants permission to list schemas through the Amazon Redshift console List
ListTables [permission only] Grants permission to list tables through the Amazon Redshift console List
ModifyAquaConfiguration Grants permission to modify the AQUA configuration of a cluster Write

cluster*

ModifyAuthenticationProfile Grants permission to modify an existing Amazon Redshift authentication profile Write
ModifyCluster Grants permission to modify the settings of a cluster Write

cluster*

acm:DescribeCertificate

ModifyClusterDbRevision Grants permission to modify the database revision of a cluster Write

cluster*

ModifyClusterIamRoles Grants permission to modify the list of AWS Identity and Access Management (IAM) roles that can be used by a cluster to access other AWS services Permissions management

cluster*

ModifyClusterMaintenance Grants permission to modify the maintenance settings of a cluster Write
ModifyClusterParameterGroup Grants permission to modify the parameters of a parameter group Write

parametergroup*

ModifyClusterSnapshot Grants permission to modify the settings of a snapshot Write

snapshot*

ModifyClusterSnapshotSchedule Grants permission to modify a snapshot schedule for a cluster Write

cluster*

ModifyClusterSubnetGroup Grants permission to modify a cluster subnet group to include the specified list of VPC subnets Write

subnetgroup*

ModifyCustomDomainAssociation Grants permission to modify a custom domain name for a cluster Write

cluster*

acm:DescribeCertificate

ModifyEndpointAccess Grants permission to modify a redshift-managed vpc endpoint Write
ModifyEventSubscription Grants permission to modify an existing Amazon Redshift event notification subscription Write

eventsubscription*

ModifyQev2IdcApplication [permission only] Grants permission to modify a qev2 idc application Write

qev2idcapplication*

sso:UpdateApplication

ModifyRedshiftIdcApplication Grants permission to modify a redshift idc application Write

redshiftidcapplication*

sso:DeleteApplicationAccessScope

sso:DeleteApplicationGrant

sso:GetApplicationGrant

sso:ListApplicationAccessScopes

sso:PutApplicationAccessScope

sso:PutApplicationGrant

sso:UpdateApplication

ModifySavedQuery [permission only] Grants permission to modify an existing saved query through the Amazon Redshift console Write
ModifyScheduledAction Grants permission to modify an existing Amazon Redshift scheduled action Write
ModifySnapshotCopyRetentionPeriod Grants permission to modify the number of days to retain snapshots in the destination AWS Region after they are copied from the source AWS Region Write

cluster*

ModifySnapshotSchedule Grants permission to modify a snapshot schedule Write

snapshotschedule*

ModifyUsageLimit Grants permission to modify a usage limit Write

usagelimit*

PauseCluster Grants permission to pause a cluster Write

cluster*

PurchaseReservedNodeOffering Grants permission to purchase a reserved node Write
PutResourcePolicy Grants permission to update the resource policy for a specified resource Permissions management

namespace*

RebootCluster Grants permission to reboot a cluster Write

cluster*

RejectDataShare Grants permission to decline a datashare shared from another account Permissions management

datashare*

ResetClusterParameterGroup Grants permission to set one or more parameters of a parameter group to their default values and set the source values of the parameters to "engine-default" Write

parametergroup*

ResizeCluster Grants permission to change the size of a cluster Write

cluster*

RestoreFromClusterSnapshot Grants permission to create a cluster from a snapshot Write

cluster*

snapshot*

aws:TagKeys

RestoreTableFromClusterSnapshot Grants permission to create a table from a table in an Amazon Redshift cluster snapshot Write

cluster*

snapshot*

ResumeCluster Grants permission to resume a cluster Write

cluster*

RevokeClusterSecurityGroupIngress Grants permission to revoke an ingress rule in an Amazon Redshift security group for a previously authorized IP range or Amazon EC2 security group Write

securitygroup*

securitygroupingress-ec2securitygroup*

RevokeEndpointAccess Grants permission to revoke access for endpoint related activities for redshift-managed vpc endpoint Permissions management
RevokeSnapshotAccess Grants permission to revoke access from the specified AWS account to restore a snapshot Permissions management

snapshot*

RotateEncryptionKey Grants permission to rotate an encryption key for a cluster Write

cluster*

UpdatePartnerStatus Grants permission to update the status of a partner integration Write
ViewQueriesFromConsole [permission only] Grants permission to view query results through the Amazon Redshift console List
ViewQueriesInConsole [permission only] Grants permission to terminate running queries and loads through the Amazon Redshift console List

Resource types defined by Amazon Redshift

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
cluster arn:${Partition}:redshift:${Region}:${Account}:cluster:${ClusterName}

aws:ResourceTag/${TagKey}

datashare arn:${Partition}:redshift:${Region}:${Account}:datashare:${ProducerClusterNamespace}/${DataShareName}

aws:ResourceTag/${TagKey}

dbgroup arn:${Partition}:redshift:${Region}:${Account}:dbgroup:${ClusterName}/${DbGroup}

aws:ResourceTag/${TagKey}

dbname arn:${Partition}:redshift:${Region}:${Account}:dbname:${ClusterName}/${DbName}

aws:ResourceTag/${TagKey}

dbuser arn:${Partition}:redshift:${Region}:${Account}:dbuser:${ClusterName}/${DbUser}

aws:ResourceTag/${TagKey}

eventsubscription arn:${Partition}:redshift:${Region}:${Account}:eventsubscription:${EventSubscriptionName}

aws:ResourceTag/${TagKey}

hsmclientcertificate arn:${Partition}:redshift:${Region}:${Account}:hsmclientcertificate:${HSMClientCertificateId}

aws:ResourceTag/${TagKey}

hsmconfiguration arn:${Partition}:redshift:${Region}:${Account}:hsmconfiguration:${HSMConfigurationId}

aws:ResourceTag/${TagKey}

namespace arn:${Partition}:redshift:${Region}:${Account}:namespace:${ClusterNamespace}

aws:ResourceTag/${TagKey}

parametergroup arn:${Partition}:redshift:${Region}:${Account}:parametergroup:${ParameterGroupName}

aws:ResourceTag/${TagKey}

securitygroup arn:${Partition}:redshift:${Region}:${Account}:securitygroup:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ec2SecurityGroupId}

aws:ResourceTag/${TagKey}

securitygroupingress-cidr arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/cidrip/${IpRange}

aws:ResourceTag/${TagKey}

securitygroupingress-ec2securitygroup arn:${Partition}:redshift:${Region}:${Account}:securitygroupingress:${SecurityGroupName}/ec2securitygroup/${Owner}/${Ece2SecuritygroupId}

aws:ResourceTag/${TagKey}

snapshot arn:${Partition}:redshift:${Region}:${Account}:snapshot:${ClusterName}/${SnapshotName}

aws:ResourceTag/${TagKey}

snapshotcopygrant arn:${Partition}:redshift:${Region}:${Account}:snapshotcopygrant:${SnapshotCopyGrantName}

aws:ResourceTag/${TagKey}

snapshotschedule arn:${Partition}:redshift:${Region}:${Account}:snapshotschedule:${ParameterGroupName}

aws:ResourceTag/${TagKey}

subnetgroup arn:${Partition}:redshift:${Region}:${Account}:subnetgroup:${SubnetGroupName}

aws:ResourceTag/${TagKey}

usagelimit arn:${Partition}:redshift:${Region}:${Account}:usagelimit:${UsageLimitId}

aws:ResourceTag/${TagKey}

redshiftidcapplication arn:${Partition}:redshift:${Region}:${Account}:redshiftidcapplication:${RedshiftIdcApplicationId}
qev2idcapplication arn:${Partition}:redshift:${Region}:${Account}:qev2idcapplication:${Qev2IdcApplicationId}

Condition keys for Amazon Redshift

Amazon Redshift defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by actions based on the allowed set of values for each of the tags String
aws:ResourceTag/${TagKey} Filters access by actions based on tag-value associated with the resource String
aws:TagKeys Filters access by actions based on the presence of mandatory tags in the request ArrayOfString
redshift:AllowWrites Filters access by the allowWrites input parameter Bool
redshift:ConsumerArn Filters access by the datashare consumer arn ARN
redshift:ConsumerIdentifier Filters access by the datashare consumer String
redshift:DbName Filters access by the database name String
redshift:DbUser Filters access by the database user name String
redshift:DurationSeconds Filters access by the number of seconds until a temporary credential set expires String
redshift:InboundIntegrationArn Filters access by the ARN of an inbound zero-ETL Integration resource String