wrschneider
Reputation: 18780
Redshift GetClusterCredentials IAM policy to require DbName
How can I define an IAM policy to effectively require DbName?
What I'm trying to do is only allow GetClusterCredentials calls with a specified, whitelisted DbName. The problem is the DbName argument is optional. I am also specifying the DbUser resource so that I can refer to ${redshift:DbUser} in an IAM policy condition.
Upvotes: 0
Views: 1291
Answers (1)
Vikyol
Reputation: 5655
One of the condition keys GetClusterCredentials supports is redshift:DbName, which can be used to restrict an IAM policy based on database name. For example, the following policy statement should deny the action if the DbName is not set to "test-db".
{
"Sid": "GetClusterCredsStatement",
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials"
],
"Resource": [
"arn:aws:redshift:us-west-2:123456789012:dbname:examplecluster/*"
],
"Condition": {
"StringEquals": {
"redshift:DbName": "test-db"
}
}
}
Upvotes: 1
Related Questions
- Create an IAM Role that makes Redshift able to access S3 bucket (ReadOnly)
- AWS IAM Role Access to Redshift:DescribeData
- IAM users access to Amazon Redshift serverless
- EC2 IAM policy permissions for creating a redshift cluster from a snapshot
- redshift:GetClusterCredentials + dbuser + ${aws:username}
- How to acess Amazon AWS redshift using psql client with IAM credentials
- Redshift database user is not authorized to assume IAM Role
- Redshift - Cross account cluster sync-up
- AWS SDK/CLI access error with EC2 Instance credentials for aws redshift create-cluster
- How to store redshift credentials?