- 최신
- 최다 투표
- 가장 많은 댓글
is the role set as Default role?
and are you providing the authorization in the copy command?
it might be best to open support ticket if these do not help
I have the same issue. Opened up a support case but some AWS support engineers don't really know the ins and outs of Redshift serverless, which is understandable. Serverless == Blackbox. No one knows what's going on inside.
In my case, putting "redshift-serverless.amazonaws.com"
doesn't work either. The root cause is that I have "Condition" in the trusted entity:
"Condition": {
"StringLike": {
"sts:ExternalId": [
"arn:aws:redshift:<region>:<account-id>:dbuser:<cluster-name>/<user>",
"arn:aws:redshift:<region>:<account-id>:dbuser:<workgroup-name>/<user>"
]
}
}
although this Redshift serverless documentation says
* For regular Redshift cluster use the following ARN format: arn:aws:redshift:<region>:<account-id>:dbuser:<cluster-name>/<user-name>
* For serverless Redshift use the following ARN format: arn:aws:redshift:<region>:<account-id>:dbuser:<workgroup-name>/<user-name>
the serverless ARN format is wrong. After countless trial-n-error, I discovered that only this ARN format arn:aws:redshift:<region>:<account-id>:dbuser:serverless-*
works for serverless. But I couldn't figure out what the wildcard *
represents. And of course, removing the "Condition" section entirely works too.
I had this same issue, but after a ton of trial and error and looking through AssumeRole
events in CloudTrail I was able to find that the format of the dbuser
ARN in Redshift serverless is actually arn:aws:redshift:<region>:<account-id>:dbuser:serverless-<account-id>-<workgroup-id>/<user-name>
. This format isn’t documented by AWS anywhere that I've seen, and the existing documentation says to use the format arn:aws:redshift:<region>:<account-id>:dbuser:<workgroup-name>/<user-name>
for Redshift serverless, but as Zach mentioned that doesn't work.
An example of a IAM role's trust relationship using this format:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "redshift.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": [
"arn:aws:redshift:us-west-2:123456789012:dbuser:serverless-123456789012-my-workgroup-id1/user1"
]
}
}
}]
}
The AWS CLI can be used to get the workgroup id:
aws redshift-serverless get-workgroup --workgroup-name <workgroup-name> --query '*.workgroupId | [0]'
Hi, Did you resolve this issue?