Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Redshift spectrum cross account access

0

Im using Redshift serverless to access tables in glue catalog and s3 in a different account (same region eu-west-1) I already have access to those tables using my account glue and athena In the other account ( let call it account 2 ) , i have attached a glue resource policy that allows account_1:root to have access to everything

So the problem is that though i can access the tables from account_1 using glue and athena it doesnt seem possible to access them using Reshift serverless spectrum ( which has a role allowing all athena glue s3 access in account_1 and trusts or sts:assume arn:aws:iam::ACCOUNT_2:root )

i tried running the create external schema in different ways :

CREATE EXTERNAL SCHEMA IF NOT EXISTS my_external_schema
                 from data catalog
                 database 'my_database_in_athena_glue'
                iam_role 'arn:aws:iam::ACCOUNT_1:role/full_access_account_1,arn:aws:iam::ACCOUNT_2:root';

and

create external schema my_external_schema
 from data catalog 
database 'my_database_in_athena_glue' 
iam_role 'arn:aws:iam::ACCOUNT_1:role/full_access_account_1' 
region 'eu-west-1';

In both cases it doesnt work ..

I know that the main (and maybe the only way , to do it) is simply creating one role for account 1 and another role for account 2 as mentioned here https://repost.aws/knowledge-center/redshift-cross-account-glue-s3 ( didnt find other docs elswhere) .. but the question is mainly what if dont have a role in account 2 but only glue resource policy that allows account_1:root to have glue s3 access ?

Topics
AnalyticsSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementAWS GlueAmazon Redshift ServerlessAmazon Athena
Language
English
asked a year ago360 views
1 Answer
0
Accepted Answer

Even though this is not explicitly mentioned in the glue aws docs as an exception for redshift ( see here https://docs.aws.amazon.com/glue/latest/dg/cross-account-access.html#cross-account-how-works) , Redshift namespaces and attached workgroups only works with IAM roles , meaning the moment you create your new redshift namespace you have to specify a role to attach to redshift ( even if that argument in the APIs is optional , if. you dont specify it will either stay empty or attach automatically if created from the console ) see more in https://docs.aws.amazon.com/redshift/latest/mgmt/default-iam-role.html

SO THE ANSWER IS , the only way to access cross account using spectrum is by defining double roles in owner and consumer accounts to allow sts assume role in the corresponding policies

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content