Using service-linked roles for Amazon Redshift - Amazon Redshift

Using service-linked roles for Amazon Redshift

Amazon Redshift uses AWS Identity and Access Management (IAM) service-linked roles. A service-linked role is a unique type of IAM role that is linked directly to Amazon Redshift. Service-linked roles are predefined by Amazon Redshift and include all the permissions that the service requires to call AWS services on behalf of your Amazon Redshift cluster.

A service-linked role makes setting up Amazon Redshift easier because you don't have to add the necessary permissions manually. The role is linked to Amazon Redshift use cases and has predefined permissions. Only Amazon Redshift can assume the role, and only the service-linked role can use the predefined permissions policy. Amazon Redshift creates a service-linked role in your account the first time you create a cluster or a Redshift-managed VPC endpoint. You can delete the service-linked role only after you delete all of the Amazon Redshift clusters or Redshift-managed VPC endpoints in your account. This protects your Amazon Redshift resources because you can't inadvertently remove permissions needed for access to the resources.

Amazon Redshift supports using service-linked roles in all of the Regions where the service is available. For more information, see AWS Regions and Endpoints.

For information about other services that support service-linked roles, see AWS services that work with IAM and look for the services that have Yes in the Service-Linked Role column. Choose a Yes with a link to view the service-linked role documentation for that service.

Service-linked role permissions for Amazon Redshift

Amazon Redshift uses the service-linked role named AWSServiceRoleForRedshift – Allows Amazon Redshift to call AWS services on your behalf. This service-linked role is attached to the following managed policy: AmazonRedshiftServiceLinkedRolePolicy. For updates to this policy, see AWS-managed (predefined) policies for Amazon Redshift.

The AWSServiceRoleForRedshift service-linked role trusts only redshift.amazonaws.com to assume the role.

The AWSServiceRoleForRedshift service-linked role permissions policy allows Amazon Redshift to complete the following on all related resources:

  • ec2:DescribeVpcs

  • ec2:DescribeSubnets

  • ec2:DescribeNetworkInterfaces

  • ec2:DescribeAddress

  • ec2:AssociateAddress

  • ec2:DisassociateAddress

  • ec2:CreateNetworkInterface

  • ec2:DeleteNetworkInterface

  • ec2:ModifyNetworkInterfaceAttribute

  • ec2:CreateVpcEndpoint

  • ec2:DeleteVpcEndpoints

  • ec2:DescribeVpcEndpoints

  • ec2:ModifyVpcEndpoint

  • ec2:DescribeVpcAttribute

  • ec2:DescribeSecurityGroups

  • ec2:DescribeInternetGateways

  • ec2:DescribeSecurityGroupRules

  • ec2:DescribeAvailabilityZones

  • ec2:DescribeNetworkAcls

  • ec2:DescribeRouteTables

  • ec2:AssignIpv6Addresses

  • ec2:UnassignIpv6Addresses

Permissions for network resources

The following permissions allow action on Amazon EC2 for creation and management of security group rules. These security groups and rules are specifically associated with the Amazon Redshift aws:RequestTag/Redshift resource tag. This limits the scope of the permissions to specific Amazon Redshift resources.

  • ec2:CreateSecurityGroup

  • ec2:AuthorizeSecurityGroupEgress

  • ec2:AuthorizeSecurityGroupIngress

  • ec2:RevokeSecurityGroupEgress

  • ec2:RevokeSecurityGroupIngress

  • ec2:ModifySecurityGroupRules

  • ec2:DeleteSecurityGroup

Permissions for service quotas

The following permissions allow the caller to get service quotas.

servicequotas:GetServiceQuota

The following JSON fragment shows action and resource scope for service quotas.

{ "Sid": "ServiceQuotasToCheckCustomerLimits", "Effect": "Allow", "Action": [ "servicequotas:GetServiceQuota" ], "Resource": [ "arn:aws:servicequotas:*:*:ec2/L-0263D0A3", "arn:aws:servicequotas:*:*:vpc/L-29B6F2EB" ] }

The quota codes are the following:

  • L-0263D0A3 – The quota code for EC2-VPC Elastic IPs.

  • L-29B6F2EB – The quota code for Interface VPC endpoints per VPC.

For more information, see AWS service quotas.

Actions for audit logging

Actions listed with the logs prefix pertain to audit logging and related features. Specifically, creation and management of log groups and log streams.

  • logs:CreateLogGroup

  • logs:PutRetentionPolicy

  • logs:CreateLogStream

  • logs:PutLogEvents

  • logs:DescribeLogStreams

  • logs:GetLogEvents

The following JSON shows actions and resource scope, to Amazon Redshift, for audit logging.

[ { "Sid": "EnableCreationAndManagementOfRedshiftCloudwatchLogGroups", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:PutRetentionPolicy" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/redshift/*" ] }, { "Sid": "EnableCreationAndManagementOfRedshiftCloudwatchLogStreams", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogStreams", "logs:GetLogEvents" ], "Resource": [ "arn:aws:logs:*:*:log-group:/aws/redshift/*:log-stream:*" ] } ]

For more information about service-linked roles and their purpose in AWS, see Using service-linked roles. For more information about specific actions and other IAM resources for Amazon Redshift, see Actions, resources, and condition keys for Amazon Redshift.

Actions for managing admin credentials with AWS Secrets Manager

Actions listed with the secretsmanager prefix pertain to using Amazon Redshift to manage your admin credentials. These actions let Amazon Redshift use AWS Secrets Manager to create and manage your admin credential secrets.

The following JSON shows actions and resource scope, to Amazon Redshift, for managing admin credentials with AWS Secrets Manager.

[ { "Effect": "Allow", "Action": [ "secretsmanager:DescribeSecret", "secretsmanager:DeleteSecret", "secretsmanager:PutSecretValue", "secretsmanager:UpdateSecret", "secretsmanager:UpdateSecretVersionStage", "secretsmanager:RotateSecret" ], "Resource": [ "arn:aws:secretsmanager:*:*:secret:redshift!*" ], "Condition": { "StringEquals": { "secretsmanager:ResourceTag/aws:secretsmanager:owningService": "redshift" } } }, { "Effect": "Allow", "Action": [ "secretsmanager:GetRandomPassword" ], "Resource": "*" } ]

To allow an IAM entity to create AWSServiceRoleForRedshift service-linked roles

{ "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole" ], "Resource": "arn:aws:iam::<AWS-account-ID>:role/aws-service-role/redshift.amazonaws.com/AWSServiceRoleForRedshift", "Condition": {"StringLike": {"iam:AWSServiceName": "redshift.amazonaws.com"}} }

To allow an IAM entity to delete AWSServiceRoleForRedshift service-linked roles

Add the following policy statement to the permissions for that IAM entity:

{ "Effect": "Allow", "Action": [ "iam:DeleteServiceLinkedRole", "iam:GetServiceLinkedRoleDeletionStatus" ], "Resource": "arn:aws:iam::<AWS-account-ID>:role/aws-service-role/redshift.amazonaws.com/AWSServiceRoleForRedshift", "Condition": {"StringLike": {"iam:AWSServiceName": "redshift.amazonaws.com"}} }

Alternatively, you can use an AWS managed policy to provide full access to Amazon Redshift.

Creating a service-linked role for Amazon Redshift

You don't need to manually create an AWSServiceRoleForRedshift service-linked role. Amazon Redshift creates the service-linked role for you. If the AWSServiceRoleForRedshift service-linked role has been deleted from your account, Amazon Redshift creates the role when you launch a new Amazon Redshift cluster.

Important

If you used the Amazon Redshift service before September 18, 2017, when it began supporting service-linked roles, then Amazon Redshift created the AWSServiceRoleForRedshift role in your account. To learn more, see A new role appeared in my IAM account.

Editing a service-linked role for Amazon Redshift

Amazon Redshift does not allow you to edit the AWSServiceRoleForRedshift service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using the IAM console, the AWS Command Line Interface (AWS CLI), or IAM API. For more information, see Modifying a role in the IAM User Guide.

Deleting a service-linked role for Amazon Redshift

If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that is not actively monitored or maintained.

Before you can delete a service-linked role for an account, you must shut down and delete any clusters in the account. For more information, see Shutting down and deleting a cluster.

You can use the IAM console, the AWS CLI, or the IAM API to delete a service-linked role. For more information, see Deleting a service-linked role in the IAM User Guide.