Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

REFRESH MATERIALIZED VIEW Query runs when ran Manually in Redshift serverless cluster Console but fails While Scheduled in Redshift With "Only owner of the VIEW can invoke REFRESH" error.

0

Details; I am using adminetluser while connecting to the cluster. adminetluser is a super user and also the owner of the resultant table and the view that I am invoking refresh on.

I am using redsiftetluser as the iam user for the task. The task is broadcasting kinesis stream data into redshift realtime. kinesis stream is connected to mongodb DB using triggers and connected through eventbridge. External schema is created in redshift from kinesis using redshiftkinesisrole which is an iam role used for the tasks.

redsiftetluser has the following permissions:

  1. AdministratorAccess
  2. AmazonEventBridgeFullAccess
  3. AmazonRedshiftAllCommandsFullAccess
  4. AmazonRedshiftDataFullAccess
  5. AmazonRedshiftFullAccess
  6. AmazonRedshiftQueryEditorV2FullAccess
  7. and an inline policy which looks like below

{ "Version": "2012-10-17", "Statement": [ { "Sid": "S3", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::{account_id}:role/redshiftkinesisrole" } ] }

redshiftkinesisrole has the following policies attached;

  1. AmazonEventBridgeFullAccess
  2. AmazonRedshiftDataFullAccess
  3. An inline policy which looks like below

{ "Version": "2012-10-17", "Statement": [ { "Sid": "UseTemporaryCredentialsForAllServerlessWorkgroups", "Effect": "Allow", "Action": "redshift-serverless:GetCredentials", "Resource": [ "arn:aws:redshift-serverless:::workgroup/*" ] } ] }

  1. and anothe inline policy for kinesis access which looks like this

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ReadStream", "Effect": "Allow", "Action": [ "kinesis:DescribeStreamSummary", "kinesis:GetShardIterator", "kinesis:GetRecords", "kinesis:DescribeStream" ], "Resource": "" }, { "Sid": "ListStream", "Effect": "Allow", "Action": [ "kinesis:ListStreams", "kinesis:ListShards" ], "Resource": "" } ] }

  1. and finally the trust relationships for the redshiftkinesisrole looks like this

{ "Version": "2012-10-17", "Statement": [ { "Sid": "S1", "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Sid": "S2", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::{account_id}:user/redshiftetl" }, "Action": "sts:AssumeRole" } ] }

So with this setup, I am able to refresh the views and update the table realtime when I run the query manually in redshift but it fails when scheduled. And the error message is "only owner of the view can invoke refresh".

I am stuck here from days and don't know what to do. Tried hundred things but nothing seems to work? Are the environments variables different for redhsift schedule queries and redhsift console? DO I need more permissions or a different setup?

Please help.

Topics
AnalyticsInternet of Things (IoT)Security, Identity, & Compliance
Tags
Amazon KinesisAWS Identity and Access ManagementAmazon RedshiftIAM PoliciesAmazon Redshift Serverless
Language
English
asked a year ago531 views
1 Answer
0

Select * from pg_users

You will see someone called iam:rolenameusedtosetupscheduledquery

Grant that user sys:superuser role

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content