By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Redshift datashare same account requires encryption

0

Hello , I created datashare between serverless redshift workgroup and a provisioned redshift cluster ,

`

-- serverless

CREATE DATASHARE aggregated_tables
SET PUBLICACCESSIBLE = TRUE  ;


ALTER DATASHARE aggregated_tables
ADD SCHEMA public ;

ALTER DATASHARE aggregated_tables
ADD SCHEMA audience_insights ; 

ALTER DATASHARE aggregated_tables
ADD ALL TABLES IN SCHEMA public, another_schema ;

ALTER DATASHARE aggregated_tables
SET INCLUDENEW = TRUE FOR SCHEMA public; 

ALTER DATASHARE aggregated_tables
SET INCLUDENEW = TRUE FOR SCHEMA another_schema; 

GRANT USAGE ON DATASHARE aggregated_tables
TO NAMESPACE 'provisioned_namespace' ;
-- provisioned namespace

DESC DATASHARE aggregated_tables ;

`

And on provisioned I ran : `

-- Permanent redshift

CREATE DATABASE shared_aggregated_database
FROM DATASHARE aggregated_tables
OF ACCOUNT 'XXXXXX' namespace 'serverless_namespace';
-- serverless namespace

DESC DATASHARE aggregated_tables OF ACCOUNT 'xxxxxxx' NAMESPACE 'serverless_namespace';`

In the editor the shared_aggregated_database is empty

and when i ran a query directly i receive ERROR: The consumer and producer cluster have different encryption type.

Serverless is encrypted by default , provisioned cluster is NOT , they are both on same aws account .

In documentations it only mentions encryption for CROSS ACCOUNT ACCESSS

https://docs.aws.amazon.com/redshift/latest/dg/considerations.html

or is it also required for same account ??

Topics
DatabaseAnalytics
Tags
DatabaseAmazon RedshiftEncryption
Language
English
zied
asked 3 months ago260 views
2 Answers
1
Accepted Answer

@zied Amazon Redshift data sharing can happen between two Redshift homogenous environments - by this i mean if one of them is encrypted then the other one will also need to be encrypted. Since Amazon Redshift Serverless is encrypted by default and if you are doing data sharing with a provisioned cluster it has to be encrypted as well. I understand this is not clearly documented and I will check on this with the documentation team. Please feel free to comment if you have any questions.

AWS
EXPERT
Ranjan Burman - AWS
answered 3 months ago
profile pictureAWS
EXPERT
Srikant Das
reviewed 2 months ago
0

Hello,

For cross-account and cross-Region data sharing, both the producer and consumer clusters and serverless namespaces must be encrypted. This is for security purposes. However, they don't need to share the same encryption key. Ref - https://docs.aws.amazon.com/redshift/latest/dg/considerations.html

Kindly please check and confirm if both provisioned cluster and serverless namespace are in same region or different region.

Thank you !

AWS
SUPPORT ENGINEER
Mounika_K
answered 3 months ago
  • zied
    3 months ago

    Hello again and thank you for your answer , my question (also title ) doesnt refere to cross account case , Im asking if we use datashare in the SAME ACCOUNT , do i need encryption in both clusters producer and consumer or not ? Thank you

  • Mounika_K SUPPORT ENGINEER
    3 months ago

    Hello, as mentioned previously even for cross-Region (regardless of same or cross-account) we need both producer and consumer to be encrypted. Hence, I requested you to kindly check if and confirm if both provisioned cluster and serverless namespace are in same region or different region.

    In case if both clusters are in same region and same account, please feel free to support team so that they can diagnose the root cause of issue.

    I hope you find this helpful. Kindly please reconsider the voting on previous response.

    Thank you !!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content