Amazon Redshift
Database Developer Guide

Step 1. Create an IAM Role for Amazon Redshift

Your cluster needs authorization to access your external data catalog in AWS Glue or Amazon Athena and your data files in Amazon S3. You provide that authorization by referencing an AWS Identity and Access Management (IAM) role that is attached to your cluster. For more information about using roles with Amazon Redshift, see Authorizing COPY and UNLOAD Operations Using IAM Roles.

Note

In certain cases, you can migrate your Athena data catalog to an AWS Glue Data Catalog. You can do this if your cluster is in an AWS Region where AWS Glue is supported and you have Redshift Spectrum external tables in the Athena data catalog. To use the AWS Glue Data Catalog with Redshift Spectrum, you might need to change your IAM policies. For more information, see Upgrading to the AWS Glue Data Catalog in the Athena User Guide.

When you create a role for Amazon Redshift, choose one of the following approaches:

To create an IAM role for Amazon Redshift

  1. Open the IAM console.

  2. In the navigation pane, choose Roles.

  3. Choose Create role.

  4. Choose AWS service, and then choose Redshift.

  5. Under Select your use case, choose Redshift - Customizable and then choose Next: Permissions.

  6. The Attach permissions policy page appears. Choose AmazonS3ReadOnlyAccess and AWSGlueConsoleFullAccess, if you're using the AWS Glue Data Catalog. Or choose AmazonAthenaFullAccess if you're using the Athena data catalog. Choose Next: Review.

    Note

    The AmazonS3ReadOnlyAccess policy gives your cluster read-only access to all Amazon S3 buckets. To grant access to only the AWS sample data bucket, create a new policy and add the following permissions.

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": "arn:aws:s3:::awssampledbuswest2/*" } ] }
  7. For Role name, enter a name for your role, for example mySpectrumRole.

  8. Review the information, and then choose Create role.

  9. In the navigation pane, choose Roles. Choose the name of your new role to view the summary, and then copy the Role ARN to your clipboard. This value is the Amazon Resource Name (ARN) for the role that you just created. You use that value when you create external tables to reference your data files on Amazon S3.

To create an IAM role for Amazon Redshift using an AWS Glue Data Catalog enabled for AWS Lake Formation

  1. Open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

    If this is your first time choosing Policies, the Welcome to Managed Policies page appears. Choose Get Started.

  3. Choose Create policy.

  4. Choose to create the policy on the JSON tab.

  5. Paste in the following JSON policy document, which grants access to the Data Catalog but denies the administrator permissions for Lake Formation.

    { "Version": "2012-10-17", "Statement": [ { "Sid": "RedshiftPolicyForLF", "Effect": "Allow", "Action": [ "glue:*", "lakeformation:GetDataAccess" ], "Resource": "*" } ] }
  6. When you are finished, choose Review to review the policy. The policy validator reports any syntax errors.

  7. On the Review policy page, for Name enter mySpectrumPolicy to name the policy that you are creating. Enter a Description (optional). Review the policy Summary to see the permissions that are granted by your policy. Then choose Create policy to save your work.

    After you create a policy, you can create a role and apply the policy.

  8. In the navigation pane of the IAM console, choose Roles, and then choose Create role.

  9. For Select type of trusted entity, choose AWS service.

  10. Choose the Amazon Redshift service to assume this role.

  11. Choose the Redshift Customizable use case for your service. Then choose Next: Permissions.

  12. Choose the permissions policy that you created, mySpectrumPolicy, to attach to the role.

  13. Choose Next: Tagging.

  14. Choose Next: Review.

  15. For Role name, enter the name mySpectrumRole.

  16. (Optional) For Role description, enter a description for the new role.

  17. Review the role, and then choose Create role.

To grant SELECT permissions on the table to query in the Lake Formation database

  1. Open the Lake Formation console at https://console.aws.amazon.com/lakeformation/.

  2. In the navigation pane, choose Permissions, and then choose Grant.

  3. Provide the following information:

    • For IAM role, choose the IAM role you created, mySpectrumRole. When you run the Amazon Redshift Query Editor, it uses this IAM role for permission to the data.

      Note

      To grant SELECT permission on the table in a Lake Formation–enabled Data Catalog to query, do the following:

      • Register the path for the data in Lake Formation.

      • Grant users permission to that path in Lake Formation.

      • Created tables can be found in the path registered in Lake Formation.

    • For Database, choose your Lake Formation database.

    • For Table, choose a table within the database to query.

    • For Columns, choose All Columns.

    • Choose the Select permission.

  4. Choose Save.

Important

As a best practice, allow access only to the underlying Amazon S3 objects through Lake Formation permissions. To prevent unapproved access, remove any permission granted to Amazon S3 objects outside of Lake Formation. If you previously accessed Amazon S3 objects before setting up Lake Formation, remove any IAM policies or bucket permissions that previously were set up. For more information, see Upgrading AWS Glue Data Permissions to the AWS Lake Formation Model and Lake Formation Permissions.