Configuring AWS Redshift for Veza discovery
The recommended AWS connector policy only includes API permissions to get authorization metadata for Redshift clusters. To connect to Redshift databases for full discovery, a local Redshift user with the redshift:GetClusterCredentialsIAM privilege is required. You can allow this via IAM policy in one of two ways, described in the steps below.
Additionally, the local user will also need read-only database permissions on the warehouses to discover.
A) AWS can automatically create a local user with the same name as the IAM principal initiating the connection. This can be accomplished in your policy using the condition key ${redshift:DbUser}, as in line 6 of the following example:
{
"Sid": "RedshiftCredentials",
"Effect": "Allow",
"Action": "redshift:GetClusterCredentials",
"Resource": [
"arn:aws:redshift:<region>:<account_id>:dbuser:<cluster-name>/${redshift:DbUser}",
"arn:aws:redshift:<region>:<account-id>:dbname:<cluster-name>/*"
]
},
{
"Sid": "RedshiftDescribe",
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters",
"redshift-data:GetStatementResult",
"redshift-data:DescribeStatement"
],
"Resource": "*"
},
{
"Sid": "RedshiftExecute",
"Effect": "Allow",
"Action": "redshift-data:ExecuteStatement",
"Resource": "arn:aws:redshift:<region>:<account-id>:cluster:<cluster-name>"
}Note that the name of the provisioned Redshift user will be transformed to lowercase, and any dashes will be replaced with underscores (For an IAM user or role Veza-AI, the Redshift user name will be veza_ai).
You will still need to manually grant the SELECT privileges for the local user using the commands in the Grant Database Permissions section.
B) If you would prefer to connect as a local user that you will create yourself, you must specify that user explicitly in the policy, for example:
{
"Sid": "RedshiftCredentials",
"Effect": "Allow",
"Action": "redshift:GetClusterCredentials",
"Resource": [
"arn:aws:redshift:<region>:<account_id>:dbuser:<cluster-name>/<db_user>",
"arn:aws:redshift:<region>:<account-id>:dbname:<cluster-name>/*"
]
},
{
"Sid": "RedshiftDescribe",
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters",
"redshift-data:GetStatementResult",
"redshift-data:DescribeStatement"
],
"Resource": "*"
},
{
"Sid": "RedshiftExecute",
"Effect": "Allow",
"Action": "redshift-data:ExecuteStatement",
"Resource": "arn:aws:redshift:<region>:<account-id>:cluster:<cluster-name>"
}Connect to the Redshift warehouse and create the user:
CREATE USER [veza_user] WITH PASSWORD 'YOUR_PASSWORD';The redshift-data:ExecuteStatement only allows the Veza service principal to run Redshift queries—the exact data Veza can access is governed within Redshift. Database permissions must be granted to the local user for each instance you want to discover.
Connect to the data warehouse and use the following GRANT SELECT command:
GRANT SELECT ON
pg_catalog.pg_user,
pg_catalog.pg_group,
pg_catalog.pg_database,
pg_catalog.pg_namespace,
pg_catalog.pg_class,
pg_catalog.pg_class_info,
pg_catalog.pg_attribute_info
TO
[veza_user];The next time Veza conducts discovery for the parent AWS account, the instance will be registered and appear under "Discovered Data Sources" on the Integrations > All Data Sources_ tab.