Step 2: Create an IAM role - Amazon Redshift

Step 2: Create an IAM role

For any operation that accesses data on another AWS resource, your cluster needs permission to access the resource and the data on the resource on your behalf. An example is using a COPY command to load data from Amazon S3. You provide those permissions by using AWS Identity and Access Management (IAM). You can do this through an IAM role that is attached to your cluster. Or you can provide the AWS access key for an IAM user that has the necessary permissions. For more information about credentials and access permissions, see Credentials and access permissions.

To best protect your sensitive data and safeguard your AWS access credentials, we recommend creating an IAM role and attaching it to your cluster. For more information about providing access permissions, see Permissions to access other AWS resources.

In this step, you create a new IAM role that enables Amazon Redshift to load data from Amazon S3 buckets. An IAM role is an IAM identity that you can create in your account that has specific permissions. In the next step, you attach the role to your cluster.

To create an IAM role for Amazon Redshift

  1. Sign in to the AWS Management Console and open the IAM console at

  2. In the navigation pane, choose Roles.

  3. Choose Create role.

  4. In the AWS Service group, choose Redshift.

  5. Under Select your use case, choose Redshift - Customizable, then choose Next: Permissions.

  6. On the Attach permissions policies page, choose AmazonS3ReadOnlyAccess. You can leave the default setting for Set permissions boundary. Then choose Next: Tags.

  7. The Add tags page appears. You can optionally add tags. Choose Next: Review.

  8. For Role name, enter a name for your role. For this tutorial, enter myRedshiftRole.

  9. Review the information, and then choose Create Role.

  10. Choose the role name of the role that you just created.

  11. Copy the Role ARN value to your clipboard—this value is the Amazon Resource Name (ARN) for the role that you just created. You use that value when you use the COPY command to load data in Step 6: Load sample data from Amazon S3.

Now that you have created the new role, your next step is to attach it to your cluster. You can attach the role when you launch a new cluster or you can attach it to an existing cluster. In the next step, you attach the role to a new cluster.