Reputation: 1
AWS IAM Role Access to Redshift:DescribeData
I despair of trying to get access to the redshift-data api from a aws lambda function, more specifically 'Redshift-data:DescribeStatement. I can send BatchStatements but I cant receive them, I think it's the condition key that I don't really understand how it works.
The following is my IAM Role Policy:
{
...
{
"Action": [
"redshift-data:BatchExecuteStatement"
],
"Resource": "arn:aws:redshift:eu-central-1:____________:cluster:a-cluster-name",
"Effect": "Allow",
"Sid": "RedshiftExecutionAccess"
},
{
"Condition": {
"StringLike": {
"redshift-data:statement-owner-iam-userid": [
"*"
]
}
},
"Action": [
"redshift-data:DescribeStatement"
],
"Resource": "arn:aws:redshift:eu-central-1:____________:cluster:a-cluster-name",
"Effect": "Allow",
"Sid": "RedshiftResultAccess"
}
}
generated by the following serverless statement:
...
- Sid: 'RedshiftExecutionAccess'
Effect: 'Allow'
Action: 'redshift-data:BatchExecuteStatement'
Resource: 'arn:aws:redshift:eu-central-1:____________:cluster:a-cluster-name'
- Sid: 'RedshiftResultAccess'
Effect: 'Allow'
Action: 'redshift-data:DescribeStatement'
Resource: 'arn:aws:redshift:eu-central-1:____________:cluster:a-cluster-name'
Condition:
StringLike:
redshift-data:statement-owner-iam-userid:
- '*'
As said the BatchExecuteStatement passes, but the DescribeStatement fails and I am not sure the Condition-Setting is the problem at all. The Exception:
com.amazonaws.services.redshiftdataapi.model.AWSRedshiftDataAPIException: User: arn:aws:sts::____________:assumed-role/redshift-access-role/TrialUserImporter-dev-importer is not authorized to perform: redshift-data:DescribeStatement because no identity-based policy allows the redshift-data:DescribeStatement action (Service: AWSRedshiftDataAPI; Status Code: 400; Error Code: AccessDeniedException; Request ID: 20a9533e-e4a1-4d0b-870b-ac15431e554f; Proxy: null)
Does anybody have an idea how I can fix this? Thanks in advance
Upvotes: 0
Views: 3232
Answers (1)
Reputation: 31
I used resource as "*" and it worked see snippet
{
"Sid": "DataAPIIAMSessionPermissionsRestriction",
"Action": [
"redshift-data:GetStatementResult",
"redshift-data:CancelStatement",
"redshift-data:DescribeStatement",
"redshift-data:ListStatements"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"redshift-data:statement-owner-iam-userid": "${aws:userid}"
}
}
}
from https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-identity-based.html
Upvotes: 3
Related Questions
- AWS Redshift: Masteruser not authorized to assume role
- Create an IAM Role that makes Redshift able to access S3 bucket (ReadOnly)
- Using AWS Redshift Data API to access RedshiftServerless
- IAM users access to Amazon Redshift serverless
- Can I attach IAM role and security group to AWS RedShift in free trial?
- Redshift database user is not authorized to assume IAM Role
- Is it possible to access Redshift with an IAM role from another account? how?
- How to access Redshift from a Lambda from a VPC in a different account
- AWS Lambda gets 'Access Denied' error when calling Redshift 'CreateCluster' operation even when IAM role has full Redshift permission
- Accessing Redshift from Lambda - Avoiding the 0.0.0.0/0 Security Group