Minimum IAM Permissions
Basic AuthScheme does not require IAM roles
Mimimum IAM for Amazon Redshift depends on which AuthScheme or which InsertMode you select. If you choose AuthScheme=Basic, you do not need to define an IAM policy.InsertMode=S3Staging
Insertions with InsertMode=S3Staging require this policy:{ "Version": "2012-10-17", "Statement": [ { "Sid": "InsertModeS3Staging", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetObject", "s3:PutObject" ], "Resource": "*" } ] }This gives users access to buckets and the permission to use get and put on bucket data. You can also restrict an access to specific buckets.
IAMCredentials, ADFS, or PingFederate permissions
AuthScheme = IAMCredentials, ADFS, or PingFederate have two types of users:- IAM users
- IAM role assumed by the identity provider
Each require the policy below for users to connect.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GettingCredentials", "Effect": "Allow", "Action": [ "redshift:GetClusterCredentials" ], "Resource": "*" } ] }Resources may list
- dbuser
- dbname
- dbgroup
"Resource": [ "arn:aws:redshift:us-west-1:123456789012:dbname:mycluster/exampledb", "arn:aws:redshift:us-west-1:123456789012:dbgroup:mycluster/common_group" ]At a minimum, you need permission for redshift:GetClusterCredentials with access to a dbuser resource.
Additional considerations
IAMCredentialsSetting AuthScheme = IAMCredentials additionally requires:
- redshift:CreateClusterUser when the AutoCreate connection property is set to true
- redshift:JoinGroup when the DbGroups connection property lists groups to join
Setting AuthScheme = ADFS or PingFederate additionally requires redshift:CreateClusterUser