What is IAM role to set redshift user permission for allow query external data (Glue) from difference AWS account

Question

I have 2 AWS accounts, Account "A" contain AWS Redshift and Account "B" has external data that crawler from S3.  
## What I have done
 
#### Account A
1. Attached spectrum role to Redshift 
![spectrum role in account](/media/postImages/original/IMVL6YqmU6Td-_p-w7-iz02Q) 
 2. Attached inline policy in `role1` to sync between both account
 
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "StatementAllowToReadCrawler",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::xxxxx:role/role2"
        }
    ]
}
```
3.  In Inline policy also add Trust relationships

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "redshift.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
```

#### Account B
1. Attached role to access S3 and Glue.
![Enter image description here](/media/postImages/original/IMmw6oN_loTny18yXKQIW86Q)
2. Attached custom role name `role2`

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:PutObject",
                "s3:PutObjectLegalHold",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::test*"
            ]
        }
```
3. In `role2` also add trust relationships

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "glue.amazonaws.com",
                "AWS": "arn:aws:iam::yyyyyyyyyy:role/role1"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
```
## Result
After I ran script to create external database from data catalog. Then I can query data from that external database with root. **But I need to query with another user.**

####To grant database permission

I have run this script

```
grant select on EXTERNAL TABLE "schema"."database"."tableName" to read_user
```

I got this result

```
Grantee can only be an IAM Role or PUBLIC for grants on external resources
```

Answer

Create an IAM role in the AWS account that contains the AWS Glue data catalog and data. This role should allow redshift to assume it.

Create an IAM role in the AWS account with the Redshift cluster. Attach this role to the cluster.

The role attached to the Redshift cluster should be granted permissions to assume the role created in Step 1.

Grant the USAGE permission on the AWS Glue database to the IAM principal representing the role attached to the Redshift cluster. For example:

```
GRANT USAGE ON DATABASE awsdatacatalog TO 'IAM:role-attached-to-redshift';

```
Connect to Redshift using the "Temporary credentials using your IAM identity" authentication method. This will allow querying the external AWS Glue data catalog using three-part names starting with 
`awsdatacatalog.database_name.table_name`
.

What is IAM role to set redshift user permission for allow query external data (Glue) from difference AWS account

What I have done

Account A

Account B

Result

관련 콘텐츠