Carlos Eduardo Abrantes
Reputation: 53
Is it possible to access Redshift with an IAM role from another account? how?
We’re trying to implement Redshift with authentication via SAML.
In our case, we have many AWS accounts and the Redshift cluster is in one of them. We need to viabilize the access via roles from these accounts to the one that hosts the cluster. Discarding the necessity of having to manage user/password.
The way we implemented it’s already possible to login using IAM roles, but we still need the cross-account.
Does anyone knows if it's possible ?
Upvotes: 0
Views: 2790
Answers (1)
John Rotenstein
Reputation: 269746
Since you already have signin working with IAM roles, the process would be:
- Amazon Redshift in Account-A
- IAM Role (
Role-A) in Account-A that has:- Permission to access Redshift via IAM (I think it's just permission to call
GetClusterCredentials?) - A Trust Policy allowing the Role to be assumed by specified other accounts (or specific roles in those accounts)
- Permission to access Redshift via IAM (I think it's just permission to call
- Other accounts wanting to access Redshift will:
- Call
AssumeRole()to assumeRole-A - Use the returned temporary credentials to access Redshift using
Role-A
- Call
Thus, Redshift only ever sees a login being requested from Account-A.
Upvotes: 2
Related Questions
- Make a cross account call to Redshift Data API
- AWS Redshift: Masteruser not authorized to assume role
- Create an IAM Role that makes Redshift able to access S3 bucket (ReadOnly)
- Is it possible to attach one role to a redshift cluster and use that for all access?
- AWS IAM Role Access to Redshift:DescribeData
- IAM users access to Amazon Redshift serverless
- Connect to Redshift using Python using IAM Role
- Redshift database user is not authorized to assume IAM Role
- AWS Redshift cross account access
- How can I access data in s3 bucket from one account to process the data using redshift in another account?