RedShift Serverless / Spectrum / Glue access issue

Question

I'm running the following in RedShift query editor

```
create external schema customer_schema
from data catalog database 'customer' region 'us-west-2'
iam_role 'arn:aws:iam:::role/RedshiftSpectrumRole'
create external database if not exists;
```
And getting the following error:

>ERROR: Unknown std exception when calling external catalog API: ----------------------------------------------- error: Not authorized to get credentials of role arn:aws:iam:::role/RedshiftSpectrumRole code: 30000 context: query: 0 location: xen_aws_credentials_mgr.cpp:402 process: padbm aster [pid=15652] ----------------------------------------------- [ErrorId: 1-6222317d-1fb7af7e7869388e5a5866f3]

The role has access to S3 and Glue, and it has been attached to the RedShift Serverless permissions.

I also submitted a ticket to AWS over 4 days ago and have not heard anything back. Can someone help out? Is there something I missed? Or is this an internal AWS error?

Below is the trust relationship for the role:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "redshift.amazonaws.com",
                    "redshift-serverless.amazonaws.com"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
```

Accepted Answer

I was trying to execute this query signed in as the Root user for this AWS account. It turns out that RedShift Serverless does not support this currently.

The solution is to create an IAM user, login and run these queries with that user.

Answer

Hi, 
I have been using Spectrum with Serverless and never encountered this issue. For this reason I guess it might be something linked to your environment.

Based on the description in your question I think you followed the [documentation on the definition of the role](https://docs.aws.amazon.com/redshift/latest/dg/c-spectrum-iam-policies.html), and by the description it seems to me it should be fine.

is the Glue catalogue in the same us-west-2 region ? 
If not have you looked at [this knowledge base](https://aws.amazon.com/premiumsupport/knowledge-center/redshift-cross-account-glue-s3/) to allow cross account access?

If the catalogue is in the same region as the serverless cluster could you please include more information on the policies for the role, please? (as you did for the trust relationship).

Also please not, that Redshift Serverless is still in preview, you could submit your question directly to the serverless team, by [sending an email to the address you find in this documentation page](https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-whatis.html). In the email you could include the AWS Account Id, the cluster name and the region.

hope this helps.

Answer

I got the same error message. Have you ever resolved this issue? I got this error after I created an external schema referring to lakeformation catalog and wanted to have permission control integration with the SSO identity center. So I created the external schema without specifying an IAM role, I guess this could be the reason of the issue. But I did this according to the AWS document https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-idp-connect.html, so I'm not sure if it's something wrong at my side or AWS internal issue?

RedShift Serverless / Spectrum / Glue access issue

관련 콘텐츠