By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

What is IAM role to set redshift user permission for allow query external data (Glue) from difference AWS account

0

I have 2 AWS accounts, Account "A" contain AWS Redshift and Account "B" has external data that crawler from S3.

What I have done

Account A

  1. Attached spectrum role to Redshift spectrum role in account
  2. Attached inline policy in role1 to sync between both account
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "StatementAllowToReadCrawler",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::xxxxx:role/role2"
        }
    ]
}
  1. In Inline policy also add Trust relationships
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "redshift.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Account B

  1. Attached role to access S3 and Glue. Enter image description here
  2. Attached custom role name role2
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:PutObject",
                "s3:PutObjectLegalHold",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::test*"
            ]
        }
  1. In role2 also add trust relationships
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "glue.amazonaws.com",
                "AWS": "arn:aws:iam::yyyyyyyyyy:role/role1"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Result

After I ran script to create external database from data catalog. Then I can query data from that external database with root. But I need to query with another user.

####To grant database permission

I have run this script

grant select on EXTERNAL TABLE "schema"."database"."tableName" to read_user

I got this result

Grantee can only be an IAM Role or PUBLIC for grants on external resources
Topics
AnalyticsSecurity, Identity, & Compliance
Tags
Amazon AthenaAWS GlueAmazon RedshiftAWS IAM Identity Center
Language
English
ParinMing
asked 2 months ago269 views
1 Answer
1

Create an IAM role in the AWS account that contains the AWS Glue data catalog and data. This role should allow redshift to assume it.

Create an IAM role in the AWS account with the Redshift cluster. Attach this role to the cluster.

The role attached to the Redshift cluster should be granted permissions to assume the role created in Step 1.

Grant the USAGE permission on the AWS Glue database to the IAM principal representing the role attached to the Redshift cluster. For example:

GRANT USAGE ON DATABASE awsdatacatalog TO 'IAM:role-attached-to-redshift';

Connect to Redshift using the "Temporary credentials using your IAM identity" authentication method. This will allow querying the external AWS Glue data catalog using three-part names starting with awsdatacatalog.database_name.table_name .

profile picture
EXPERT
Giovanni Lauria
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content