Configure Redshift, Snowflake, and Postgres during Migration
Before You Begin: Identify any custom roles assigned to your Serverless instance for Redshift, Snowflake, or Postgres. Locate the
<instanceId>_dataload_drDataSourcePumpserverless instance Lambda, replacinginstanceIdwith the instance ID of your Qrvey platform. Select Configuration > Permissions and open the execution role in a new window. Identify and open any custom policies related to the Redshift, Snowflake, or Postgres databases so the information can be retrieved later.
1. Access the Qrvey Kubernetes Cluster
- Log in to the Qrvey AWS account.
- Open the Amazon Elastic Kubernetes Service (EKS) console.
- Navigate to Clusters.
- Select the appropriate Qrvey Kubernetes cluster.
- Go to the Access tab.
- Scroll down to the Pod Identity associations section.
- Open the associated IAM Role.
2. Add Inline Policies to the Pod Identity Role
For each data source (Redshift, Snowflake, and Postgres), you must add the corresponding IAM policy to the Pod Identity role.
IAM Policy for Redshift
- In the Pod Identity IAM Role, click Add inline policy.
- Go to the JSON tab.
- Paste the following policy, replacing
{AWS_ACCOUNT_REDSHIFT}with the Redshift AWS account number:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Resource": [
"arn:aws:iam::{AWS_ACCOUNT_REDSHIFT}:role/RedshiftDataAccessRole"
]
}
]
}
- Locate the IAM role named:
<instanceID>_dataload_DbDatasourceExportToS3Role_MP
- Go to the Trust Relationships tab.
- Add or update the following trust policy, replacing
{AWS_ACCOUNT_REDSHIFT}with your actual values:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{AWS_ACCOUNT_REDSHIFT}:role/RedshiftDataAccessRole"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
},
{
"Effect": "Allow",
"Principal": {
"Service": "redshift.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- Save the Pod Identity IAM Role.
- Update the
RedshiftDataAccessRolein the Redshift account by adding the following statement to its policy:
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"secretsmanager:GetSecretValue",
"sts:TagSession"
],
"Resource": [
"arn:aws:iam::767397749050:role/pbqxz_dataload_DbDatasourceExportToS3Role_MP"
]
}
IAM Policy for Snowflake
- In the Pod Identity IAM Role, click Add inline policy.
- Open the JSON tab and paste the following policy, replacing
<SECRET_ARN>and<KMS_KEY_ARN>with your actual values:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "getSecretValue",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"<SECRET_ARN>"
]
},
{
"Sid": "getPublicKey",
"Effect": "Allow",
"Action": [
"kms:GetPublicKey",
"kms:Sign"
],
"Resource": ["<KMS_KEY_ARN>"]
}
]
}
- Save the Pod Identity IAM Role.
IAM Policy for Postgres
- In the Pod Identity IAM Role, click Add inline policy.
- Open the JSON tab and paste the following policy, replacing
{AWS_ACCOUNT_POSTGRES}with your actual values:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Resource": [
"arn:aws:iam::{AWS_ACCOUNT_POSTGRES}:role/rds-s3-export-role"
]
}
}
- Save the Pod Identity IAM Role.
- Go to the Trust Relationships tab.
- Add or update the following trust policy, replacing
{AWS_ACCOUNT_POSTGRES}with your actual values:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Resource": [
"arn:aws:iam::{AWS_ACCOUNT_POSTGRES}:role/rds-s3-export-role"
]
}
}
- Save
Restart Services
Restart the services to apply the Redshift, Snowflake, and Postgres permissions:
# Be sure to replace linux/amd64 with your actual platform type.
docker run --platform=linux/amd64 -v $(pwd)/config.json:/app/qrvey/config.json -it --rm qrvey.azurecr.io/qrvey-terraform-aws:${qrvey_version} restart