Basic AuthScheme does not require IAM roles

Minimum IAM for Amazon Redshift depends on which AuthScheme or which InsertMode you select. If you choose AuthScheme=Basic, you do not need to define an IAM policy.

InsertMode=S3Staging

Insertions with InsertMode=S3Staging require this policy:

{
    "Version": "2012-10-17", 
    "Statement": [
        {
            "Sid": "InsertModeS3Staging",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "*"
        }
    ]
}

This gives users access to buckets and the permission to use get and put on bucket data. You can also restrict an access to specific buckets.

IAMCredentials, ADFS, or PingFederate permissions

AuthScheme = IAMCredentials, ADFS, or PingFederate have two types of users:

• IAM users
• IAM role assumed by the identity provider

Each require the policy below for users to connect.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "GettingCredentials",
            "Effect": "Allow",
            "Action": [
                "redshift:GetClusterCredentials"
            ],
            "Resource": "*"
        }
    ]
}

Resources may list

• dbuser
• dbname
• dbgroup

to provide additional restrictions. For example,

"Resource": [
        "arn:aws:redshift:us-west-1:123456789012:dbname:mycluster/exampledb",
        "arn:aws:redshift:us-west-1:123456789012:dbgroup:mycluster/common_group"
]

At a minimum, you need permission for redshift:GetClusterCredentials with access to a dbuser resource.

Additional considerations

IAMCredentials

Setting AuthScheme = IAMCredentials additionally requires:

• redshift:CreateClusterUser when the AutoCreate connection property is set to true
• redshift:JoinGroup when the DbGroups connection property lists groups to join

ADFS or PingFederate

Setting AuthScheme = ADFS or PingFederate additionally requires redshift:CreateClusterUser