AWS Redshift

Configuring AWS Redshift for Veza discovery

The recommended AWS connector policy only includes API permissions to get authorization metadata for Redshift clusters. To connect to Redshift databases for full discovery, a local Redshift user with the redshift:GetClusterCredentialsIAM privilege is required. You can allow this via IAM policy in one of two ways, described in the steps below.

Additionally, the local user will also need read-only database permissions on the warehouses to discover.

1. Update AWS IAM policy

A) AWS can automatically create a local user with the same name as the IAM principal initiating the connection. This can be accomplished in your policy using the condition key ${redshift:DbUser}, as in line 6 of the following example:

{
    "Sid": "RedshiftCredentials",
    "Effect": "Allow",
    "Action": "redshift:GetClusterCredentials",
    "Resource": [
        "arn:aws:redshift:<region>:<account_id>:dbuser:<cluster-name>/${redshift:DbUser}",
        "arn:aws:redshift:<region>:<account-id>:dbname:<cluster-name>/*"
    ]
},
{
     "Sid": "RedshiftDescribe",
     "Effect": "Allow",
     "Action": [
         "redshift:DescribeClusters",
         "redshift-data:GetStatementResult",
         "redshift-data:DescribeStatement"
     ],
     "Resource": "*"
 },
 {
     "Sid": "RedshiftExecute",
     "Effect": "Allow",
     "Action": "redshift-data:ExecuteStatement",
     "Resource": "arn:aws:redshift:<region>:<account-id>:cluster:<cluster-name>"
 }

Note that the name of the provisioned Redshift user will be transformed to lowercase, and any dashes will be replaced with underscores (For an IAM user or role Veza-AI, the Redshift user name will be veza_ai).

You will still need to manually grant the SELECT privileges for the local user using the commands in the Grant Database Permissions section.

B) If you would prefer to connect as a local user that you will create yourself, you must specify that user explicitly in the policy, for example:

{
    "Sid": "RedshiftCredentials",
    "Effect": "Allow",
    "Action": "redshift:GetClusterCredentials",
    "Resource": [
        "arn:aws:redshift:<region>:<account_id>:dbuser:<cluster-name>/<db_user>",
        "arn:aws:redshift:<region>:<account-id>:dbname:<cluster-name>/*"
    ]
},
{
     "Sid": "RedshiftDescribe",
     "Effect": "Allow",
     "Action": [
         "redshift:DescribeClusters",
         "redshift-data:GetStatementResult",
         "redshift-data:DescribeStatement"
     ],
     "Resource": "*"
 },
 {
     "Sid": "RedshiftExecute",
     "Effect": "Allow",
     "Action": "redshift-data:ExecuteStatement",
     "Resource": "arn:aws:redshift:<region>:<account-id>:cluster:<cluster-name>"
 }

The db_user username must be the same as the "Redshift DB User User" specified for the AWS account under Administration > Configuration.

Connect to the Redshift warehouse and create the user:

CREATE USER [veza_user] WITH PASSWORD 'YOUR_PASSWORD';

2. Grant Redshift database permissions

The redshift-data:ExecuteStatement only allows the Veza service principal to run Redshift queries—the exact data Veza can access is governed within Redshift. Database permissions must be granted to the local user for each instance you want to discover.

Connect to the data warehouse and use the following GRANT SELECT command:

GRANT SELECT ON
  pg_catalog.pg_user,
  pg_catalog.pg_group,
  pg_catalog.pg_database,
  pg_catalog.pg_namespace,
  pg_catalog.pg_class,
  pg_catalog.pg_class_info,
  pg_catalog.pg_attribute_info
TO
  [veza_user];

The next time Veza conducts discovery for the parent AWS account, the instance will be registered and appear under "Discovered Data Sources" on the Administration > Configuration > Apps and Data Sources tab.

For further reference, see the Example policy for using GetClusterCredentials in the official AWS documentation.

PreviousAWS RDS PostgreSQL NextActivity Monitoring for AWS

Last updated 3 months ago