By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Redshift Serverless COPY Error

0

I am trying to copy data from S3 into redshift serverless and get the following error.

ERROR: Not authorized to get credentials of role arn:aws:iam::xxx Detail: ----------------------------------------------- error: Not authorized to get credentials of role arn:aws:iam::xxx code: 30000 context: query: 5031 location: xen_aws_credentials_mgr.cpp:402 process: padbxxx [pid=10282] ----------------------------------------------- [ErrorId: 1-6209a3af-30de21be27e8b5e412626606]

The role used has AmazonRedshiftAllCommandsFullAccess and AmazonRedshift-CommandsAccessPolicy-20220213T191838 which was created through the UI as well as a trust relationship as follows

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "sagemaker.amazonaws.com", "redshift-serverless.amazonaws.com", "redshift.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] }

Am I missing something?

Topics
Analytics
Tags
Amazon Redshift
Language
English
bnroths
asked 2 years ago2018 views
3 Answers
0

is the role set as Default role?

and are you providing the authorization in the copy command?

it might be best to open support ticket if these do not help

profile pictureAWS
MilindOke
answered 2 years ago
0

I have the same issue. Opened up a support case but some AWS support engineers don't really know the ins and outs of Redshift serverless, which is understandable. Serverless == Blackbox. No one knows what's going on inside.

In my case, putting "redshift-serverless.amazonaws.com" doesn't work either. The root cause is that I have "Condition" in the trusted entity:

"Condition": {
    "StringLike": {
        "sts:ExternalId": [
            "arn:aws:redshift:<region>:<account-id>:dbuser:<cluster-name>/<user>",
            "arn:aws:redshift:<region>:<account-id>:dbuser:<workgroup-name>/<user>"
        ]
    }
}

although this Redshift serverless documentation says

* For regular Redshift cluster use the following ARN format: arn:aws:redshift:<region>:<account-id>:dbuser:<cluster-name>/<user-name>
* For serverless Redshift use the following ARN format: arn:aws:redshift:<region>:<account-id>:dbuser:<workgroup-name>/<user-name>

the serverless ARN format is wrong. After countless trial-n-error, I discovered that only this ARN format arn:aws:redshift:<region>:<account-id>:dbuser:serverless-* works for serverless. But I couldn't figure out what the wildcard * represents. And of course, removing the "Condition" section entirely works too.

profile picture
Zach
answered 6 months ago
0

I had this same issue, but after a ton of trial and error and looking through AssumeRole events in CloudTrail I was able to find that the format of the dbuser ARN in Redshift serverless is actually arn:aws:redshift:<region>:<account-id>:dbuser:serverless-<account-id>-<workgroup-id>/<user-name>. This format isn’t documented by AWS anywhere that I've seen, and the existing documentation says to use the format arn:aws:redshift:<region>:<account-id>:dbuser:<workgroup-name>/<user-name> for Redshift serverless, but as Zach mentioned that doesn't work.

An example of a IAM role's trust relationship using this format:

{
  "Version": "2012-10-17",
  "Statement": [
  {
    "Effect": "Allow",
    "Principal": { 
      "Service": "redshift.amazonaws.com" 
    },
    "Action": "sts:AssumeRole",
    "Condition": {
      "StringEquals": {
        "sts:ExternalId": [
          "arn:aws:redshift:us-west-2:123456789012:dbuser:serverless-123456789012-my-workgroup-id1/user1"
        ]
      }
    }
  }]
}

The AWS CLI can be used to get the workgroup id:

 aws redshift-serverless get-workgroup --workgroup-name <workgroup-name> --query '*.workgroupId | [0]'
Davondrick
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content