In turn, the role that passes permissions must have a trust policy that allows it to pass its permissions to another role. A role that assumes another role must have a permissions policy that allows it to assume the specified role. To chain roles, you establish a trust relationship between the roles. Each role in the chain assumes the next role in the chain, until the cluster assumes the role at the end of chain. You can also grant cross-account access by chaining roles. Your cluster then temporarily assumes the chained role to access the data. If a role attached to your cluster doesn't have access to the necessary resources, you can chain another role, possibly belonging to another account. When you attach a role to your cluster, your cluster can assume that role to access Amazon S3, Athena, and AWS Glue on your behalf. If your external database is in a Hive metastore, you don't need Athena access.Ĭhaining IAM roles in Amazon Redshift Spectrum The following policy grants access to Athena resources.
Amazon redshift spectrum full#
If you use Athena for your data catalog instead of AWS Glue, the policy requires full Athena access. The policy allows access to Amazon S3 buckets for Redshift Spectrum as well as COPY operations. The following policy grants GET and LIST access to any Amazon S3 bucket. The Amazon S3 bucket can't use a bucket policy that restricts access only from specific VPC endpoints. For more information, see Authorizing Amazon Redshift to Access Other AWS Services on Your Behalf. If your bucket is not in the same AWS account as your cluster, your bucket must also authorize your cluster to access the data. Amazon S3 permissionsĪt a minimum, your cluster needs GET and LIST access to your Amazon S3 bucket. For more information, see Upgrading to the AWS Glue Data Catalog in the Athena User Guide. To use the AWS Glue Data Catalog with Redshift Spectrum, you might need to change your IAM policies. If you currently have Redshift Spectrum external tables in the Athena Data Catalog, you can migrate your Athena Data Catalog to an AWS Glue Data Catalog.
Policies to grant or restrict access using Redshift Spectrum.For more information, see Encrypting Your AWS Glue Data Catalog in the AWS Glue Developer Guide. If the AWS Glue catalog is encrypted, you need the AWS KMS key for AWS Glue to access the AWS Glue Data Catalog. The AWS Glue catalog that you access might be encrypted to increase security. For more information, see Chaining IAM roles in Amazon Redshift Spectrum. You can chain roles so that your cluster can assume other roles not attached to the cluster. If you use an Apache Hive metastore to manage your data catalog, you don't need to provide access to Athena. You provide that authorization by referencing an AWS Identity and Access Management (IAM) role that is attached to your cluster. Your cluster needs authorization to access your external data catalog in AWS Glue or Athena and your data files in Amazon S3. In other AWS Regions, Redshift Spectrum uses the Athena Data Catalog. IAM policies for Amazon Redshift Spectrumīy default, Amazon Redshift Spectrum uses the AWS Glue Data Catalog in AWS Regions that support AWS Glue.
0 kommentar(er)
