Table of Contents

Search

  1. Preface
  2. Part 1: Introduction to Amazon Redshift connectors
  3. Part 2: Data Integration with Amazon Redshift V2 Connector
  4. Part 3: Data Integration with Amazon Redshift Connector

Amazon Redshift Connectors

Amazon Redshift Connectors

Temporary security credentials policy

Temporary security credentials policy

To use the temporary security credentials to access the AWS resources, both the IAM user and IAM role require policies.
The following section lists the policies required for the IAM user and IAM role:
IAM user
An IAM user must have the
sts:AssumeRole
policy to use the temporary security credentials in the same or different AWS account.
The following sample policy allows an IAM user to use the temporary security credentials in an AWS account:
{ "Version":"2012-10-17", "Statement":{ "Effect":"Allow", "Action":"sts:AssumeRole", "Resource":"arn:aws:iam::<ACCOUNT-HYPHENS>:role/<ROLE-NAME>" } }
IAM role
An IAM role must have a
sts:AssumeRole
policy and a trust policy attached with the IAM role to allow the IAM user to access the AWS resource using the temporary security credentials. The policy specifies the AWS resource that the IAM user can access and the actions that the IAM user can perform. The trust policy specifies the IAM user from the AWS account that can access the AWS resource.
The following policy is a sample trust policy:
{ "Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Principal":{ "AWS":"arn:aws:iam::AWS-account-ID:root" }, "Action":"sts:AssumeRole" } ] } }
Here, in the
Principal
attribute, you can also provide the ARN of IAM user who can use the dynamically generated temporary security credentials and to restrict further access. For example,
"Principal" : { "AWS" : "arn:aws:iam:: AWS-account-ID :user/ user-name " }
To use the temporary security credentials with AWS Key Management Service (AWS KMS)-managed customer master key and enable the encryption with KMS, you must create a KMS policy.
You can perform the following operations to use the temporary security credentials and enable the encryption with KMS:
  • GenerateDataKey
  • DescribeKey
  • Encrypt
  • Decrypt
  • ReEncrypt
Sample policy:
{ "Version":"2012-10-17", "Statement":[{ "Effect":"Allow", "Action":[ "kms:GenerateDataKey", "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:ReEncrypt*" ], "Resource":"*" } ] }