Table of Contents

Search

  1. Preface
  2. Part 1: Introduction to Amazon Redshift connectors
  3. Part 2: Data Integration with Amazon Redshift V2 Connector
  4. Part 3: Data Integration with Amazon Redshift Connector

Amazon Redshift Connectors

Amazon Redshift Connectors

Generate temporary security credentials using AssumeRole for EC2

Generate temporary security credentials using AssumeRole for EC2

You can use temporary security credentials using AssumeRole for an Amazon EC2 role to connect to Amazon Redshift from the same or different AWS accounts.
The Amazon EC2 role can assume another IAM role from the same or different AWS account without requiring a Redshift access key and Redshift secret key.
Consider the following prerequisites when you use temporary security credentials using AssumeRole for EC2:
  • To use temporary security credentials using AssumeRole for EC2, install the Secure Agent on an AWS service such as Amazon EC2.
  • The EC2 role attached to the AWS EC2 service must not have access to Amazon Redshift but needs to have permission to assume another IAM role.
  • The IAM role that needs to be assumed by the EC2 role must have a permission policy and a trust policy attached to it.
To configure an EC2 role to assume the IAM Role provided in the Redshift IAM Role ARN connection property, select the
Use EC2 Role to Assume Role
check box in the connection properties.
EC2 service role trust policy
The following is a sample trust policy that is defined in a trust relationship of the EC2 role attached to the EC2 instance:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
The following is a sample trust policy of the Redshift IAM role when you enable EC2 assume role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "redshift.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<Account-ID:role>/ec2_role_attached_to_ec2_instance" }, "Action": "sts:AssumeRole" } ] }
The permission policy that is required to be attached to the EC2 instance is same as the policy defined for the IAM user.

0 COMMENTS

We’d like to hear from you!