Redshift Configuration (AWS)
The steps below detail how to configure Qrvey to access Redshift clusters for loading data into Qrvey for data analysis. These changes allow Qrvey to access the cluster and enable the cluster to export data to S3 for access by Qrvey.
1. Create a New Secret for the Redshift Cluster
For Standard Redshift Clusters:
- Open the AWS console.
- Use the Redshift AWS account.
- Open AWS Secrets Manager.
- Create a new secret:
- Select Credentials for a Redshift cluster.
- Specify the User name and Password for the Redshift cluster.
- Select the DB Cluster.
- Click Next.
- Enter a secret name (e.g.,
RedshiftClusterSecret). - Click Next.
- Optionally configure automatic rotation, if desired.
- Click Next and then Store.
Note the secret's ARN string for later use.
For Redshift Serverless Mode:
-
Open the AWS console.
-
Use the Redshift AWS account.
-
Open AWS Secrets Manager.
-
Create a new secret:
- Select Other type of secret.
- Specify key/value pairs using the Plaintext feature. Example:
{
"username": "MY_USERNAME",
"password": "MY_PASSWORD",
"engine": "redshift",
"host": "default.MY_ACCOUNT.us-east-1.redshift-serverless.amazonaws.com",
"port": 5439,
"workgroupName": "default"
} -
Click Next and then Store.
Note the secret's ARN string for later use.
2. Set Permissions for the Kubernetes Cluster
-
Use the Qrvey AWS account.
-
Open Amazon Elastic Kubernetes Service.
-
Click Clusters and select the Qrvey Kubernetes cluster name.
-
Go to the Access tab and locate the Pod Identity associations section.
-
Open the associated IAM role.
-
Click Add inline policy.
-
Switch to the JSON tab and paste the following policy, replacing
{AWS_ACCOUNT_REDSHIFT}with the AWS account number for the Redshift cluster:{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Resource": [
"arn:aws:iam::{AWS_ACCOUNT_REDSHIFT}:role/RedshiftDataAccessRole"
]
}
]
}
3. Add a Trust Relationship for the Role DbDatasourceExportToS3Role
-
In the Qrvey AWS account, open IAM.
-
Search for the export role containing
DbDatasourceExportToS3Role. -
Note the ARN of the role for later use.
-
Click the Trust relationships tab and then Edit trust relationship.
-
Paste the following trust relationship, replacing the appropriate ARN:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::{AWS_ACCOUNT_REDSHIFT}:role/RedshiftDataAccessRole"
]
},
"Action": "sts:AssumeRole"
}
]
} -
Save the trust relationship.
4. Create a New Policy
- Switch to the Redshift AWS account.
- Open AWS Identity and Access Management (IAM).
- Click Policies and then Create policy.
- Switch to the JSON tab and paste the following policy, replacing the appropriate ARNs:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"redshift-data:GetStatementResult",
"redshift-data:CancelStatement",
"redshift-data:ExecuteStatement",
"redshift-data:ListTables",
"redshift:GetClusterCredentials",
"redshift:GetClusterCredentialsWithIAM"
],
"Resource": "arn:aws:redshift:<awsRegion>:<accountId>:cluster:<clusterName>"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"redshift-data:DescribeStatement"
],
"Resource": [
"*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"{SECRET_ARN}"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Resource": [
"{EXPORT_TO_S3_ARN}"
]
}
]
}
- Click Next: Tags, then Next: Review.
- Name the policy (e.g.,
RedshiftDataAccessPolicy) and click Create policy.
5. Create a New Role
- In the Redshift AWS account, open IAM.
- Click Roles and then Create Role.
- Select service Redshift and then Redshift - Customizable.
- Click Next: Permissions.
- Find and select the
RedshiftDataAccessPolicycreated earlier. - Click Next: Tags, then Next: Review.
- Enter a role name (e.g.,
RedshiftDataAccessRole) and click Create Role. - Note the role's ARN string for later use.
6. Add a Trust Relationship to the New Role
-
Open the Trust relationships tab for the new role.
-
Click Edit trust relationship.
-
Paste the following trust relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::{QRVEY_AWS_ACCOUNT}:root"
]
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
},
{
"Effect": "Allow",
"Principal": {
"Service": "pods.eks.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
},
{
"Effect": "Allow",
"Principal": {
"Service": "redshift.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
} -
Click Update Trust Policy.
7. Associate the Redshift Cluster with the New Role
- Open AWS Redshift.
- Select the desired cluster.
- Go to the Properties tab.
- Click Manage IAM roles.
- Select Enter ARN and input the ARN of the newly created role.
- Click Associate IAM Role and then Save changes.
8. Configure the Qrvey Application
- Open the Qrvey application.
- Navigate to Datasets > Connections.
- Create a new connection for Redshift.
- Enter the secret ARN and role ARN created earlier.
- Test the new connection.
Debugging
Connection Test Timeout Error
This error occurs when the Postgres driver cannot connect to Redshift during the connection test. If Qrvey is in a different account, ensure a VPC is configured for DBDatasourcePump.
Not Authorized to Assume IAM Role
Error in Redshift SQL UNLOAD command: ERROR: User
arn:aws:redshift:{region}:{AccountId}:{user}:{redshift_account}/{user} is not authorized to assume IAM
Role arn:aws:iam::{AccountId}:role/RedshiftDataAccessRole,arn:aws:iam::{AccountId}:role/
{env}_dataload_DbDatasourceExportToS3Role.
This error occurs when the trust relationship for the role DbDatasourceExportToS3Role is not set. Refer to Step 3 above.