Redshift Configuration (AWS)
The steps below detail how to configure Qrvey to access Redshift clusters for loading data into Qrvey for data analysis. These changes allow Qrvey to access the cluster and enable the cluster to export data to S3 for access by Qrvey.
1. Create a New Secret for the Redshift Cluster
For Standard Redshift Clusters:
- Open the AWS console.
- Use the Redshift AWS account.
- Open AWS Secrets Manager.
- Create a new secret:
- Select Credentials for a Redshift cluster.
- Specify the User name and Password for the Redshift cluster.
- Select the DB Cluster.
- Select Next.
- Enter a secret name (for example,
RedshiftClusterSecret). - Select Next.
- Optionally configure automatic rotation, if desired.
- Select Next and then Store.
Note the secret's ARN string for later use.
For Redshift Serverless Mode:
-
Open the AWS console.
-
Use the Redshift AWS account.
-
Open AWS Secrets Manager.
-
Create a new secret:
- Select Other type of secret.
- Specify key/value pairs using the Plaintext feature. Example:
{
"username": "MY_USERNAME",
"password": "MY_PASSWORD",
"engine": "redshift",
"host": "default.MY_ACCOUNT.us-east-1.redshift-serverless.amazonaws.com",
"port": 5439,
"workgroupName": "default"
} -
Select Next and then Store.
Note the secret's ARN string for later use.
2. Set Permissions for the Kubernetes Cluster
-
Use the Qrvey AWS account.
-
Open Amazon Elastic Kubernetes Service.
-
Select Clusters and select the Qrvey Kubernetes cluster name.
-
Go to the Access tab and locate the Pod Identity associations section.
-
Open the associated IAM role.
-
Select Add inline policy.
-
Switch to the JSON tab and paste the following policy, replacing
{AWS_ACCOUNT_REDSHIFT}with the AWS account number for the Redshift cluster:{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Resource": [
"arn:aws:iam::{AWS_ACCOUNT_REDSHIFT}:role/RedshiftDataAccessRole"
]
}
]
}
3. Add a Trust Relationship for the Role DbDatasourceExportToS3Role
-
In the Qrvey AWS account, open IAM.
-
Search for the export role containing
DbDatasourceExportToS3Role. -
Note the ARN of the role for later use.
-
Select the Trust relationships tab and then Edit trust relationship.
-
Paste the following trust relationship, replacing the appropriate ARN:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::{AWS_ACCOUNT_REDSHIFT}:role/RedshiftDataAccessRole"
]
},
"Action": "sts:AssumeRole"
}
]
} -
Save the trust relationship.
4. Create a New Policy
- Switch to the Redshift AWS account.
- Open AWS Identity and Access Management (IAM).
- Select Policies and then Create policy.
- Switch to the JSON tab and paste the following policy, replacing the appropriate ARNs:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"redshift-data:GetStatementResult",
"redshift-data:CancelStatement",
"redshift-data:ExecuteStatement",
"redshift-data:ListTables",
"redshift:GetClusterCredentials",
"redshift:GetClusterCredentialsWithIAM"
],
"Resource": "arn:aws:redshift:<awsRegion>:<accountId>:cluster:<clusterName>"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"redshift-data:DescribeStatement"
],
"Resource": [
"*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"{SECRET_ARN}"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Resource": [
"{EXPORT_TO_S3_ARN}"
]
}
]
}
- Select Next: Tags, then Next: Review.
- Name the policy (for example,
RedshiftDataAccessPolicy) and select Create policy.
5. Create a New Role
- In the Redshift AWS account, open IAM.
- Select Roles and then Create Role.
- Select service Redshift and then Redshift - Customizable.
- Select Next: Permissions.
- Find and select the
RedshiftDataAccessPolicycreated earlier. - Select Next: Tags, then Next: Review.
- Enter a role name (for example,
RedshiftDataAccessRole) and select Create Role. - Note the role's ARN string for later use.
6. Add a Trust Relationship to the New Role
-
Open the Trust relationships tab for the new role.
-
Select Edit trust relationship.
-
Paste the following trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::{QRVEY_AWS_ACCOUNT}:root"
]
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
},
{
"Effect": "Allow",
"Principal": {
"Service": "pods.eks.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
},
{
"Effect": "Allow",
"Principal": {
"Service": "redshift.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
} -
Select Update Trust Policy.
7. Associate the Redshift Cluster with the New Role
- Open AWS Redshift.
- Select the desired cluster.
- Go to the Properties tab.
- Select Manage IAM roles.
- Select Enter ARN and input the ARN of the newly created role.
- Select Associate IAM Role and then Save changes.
8. Configure the Qrvey Application
- Open the Qrvey application.
- Navigate to Datasets > Connections.
- Create a new connection for Redshift.
- Enter the secret ARN and role ARN created earlier.
- Test the new connection.
Debugging
Connection Test Timeout Error
This error occurs when the Postgres driver cannot connect to Redshift during the connection test. If Qrvey is in a different account, ensure a VPC is configured for DBDatasourcePump.
Not Authorized to Assume IAM Role
Error in Redshift SQL UNLOAD command: ERROR: User
arn:aws:redshift:{region}:{AccountId}:{user}:{redshift_account}/{user} is not authorized to assume IAM
Role arn:aws:iam::{AccountId}:role/RedshiftDataAccessRole,arn:aws:iam::{AccountId}:role/
{env}_dataload_DbDatasourceExportToS3Role.
This error occurs when the trust relationship for the role DbDatasourceExportToS3Role is not set. Refer to Step 3 above.