- Newest
- Most votes
- Most comments
is the role set as Default role?
and are you providing the authorization in the copy command?
it might be best to open support ticket if these do not help
I have the same issue. Opened up a support case but some AWS support engineers don't really know the ins and outs of Redshift serverless, which is understandable. Serverless == Blackbox. No one knows what's going on inside.
In my case, putting "redshift-serverless.amazonaws.com"
doesn't work either. The root cause is that I have "Condition" in the trusted entity:
"Condition": {
"StringLike": {
"sts:ExternalId": [
"arn:aws:redshift:<region>:<account-id>:dbuser:<cluster-name>/<user>",
"arn:aws:redshift:<region>:<account-id>:dbuser:<workgroup-name>/<user>"
]
}
}
although this Redshift serverless documentation says
* For regular Redshift cluster use the following ARN format: arn:aws:redshift:<region>:<account-id>:dbuser:<cluster-name>/<user-name>
* For serverless Redshift use the following ARN format: arn:aws:redshift:<region>:<account-id>:dbuser:<workgroup-name>/<user-name>
the serverless ARN format is wrong. After countless trial-n-error, I discovered that only this ARN format arn:aws:redshift:<region>:<account-id>:dbuser:serverless-*
works for serverless. But I couldn't figure out what the wildcard *
represents. And of course, removing the "Condition" section entirely works too.
I had this same issue, but after a ton of trial and error and looking through AssumeRole
events in CloudTrail I was able to find that the format of the dbuser
ARN in Redshift serverless is actually arn:aws:redshift:<region>:<account-id>:dbuser:serverless-<account-id>-<workgroup-id>/<user-name>
. This format isn’t documented by AWS anywhere that I've seen, and the existing documentation says to use the format arn:aws:redshift:<region>:<account-id>:dbuser:<workgroup-name>/<user-name>
for Redshift serverless, but as Zach mentioned that doesn't work.
An example of a IAM role's trust relationship using this format:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "redshift.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": [
"arn:aws:redshift:us-west-2:123456789012:dbuser:serverless-123456789012-my-workgroup-id1/user1"
]
}
}
}]
}
The AWS CLI can be used to get the workgroup id:
aws redshift-serverless get-workgroup --workgroup-name <workgroup-name> --query '*.workgroupId | [0]'
Relevant content
- asked a year ago
- asked 5 years ago
- asked 10 months ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 months ago
Hi, Did you resolve this issue?