We recommend using Redshift copy role because role-based access control provides more secure, fine-grained control of access to AWS resources and sensitive user data, in addition to safeguarding your AWS credentials. Click here to learn more about role-based access control.
Datacoral creates an IAM user with access key with S3ReadOnly access to data buckets as part of preparing your AWS account for setting up your installation. This IAM user is used to copy your connector data from S3 into your Redshift cluster. While this is a secure way to copy data into Redshift, it is not completely foolproof because
- Datacoral is not able to rotate the IAM user secret keys as this requires admin privileges on the AWS account.
- If there is anyone in your organization who has access to this IAM user's access keys, they will have read/write access to the Redshift cluster
The alternative to using the IAM user to access Redshift is to create a copy role which lets Datacoral access your Redshift cluster in a more secure way.
Please follow the step-by-step instructions below on how to give Datacoral access to your Redshift cluster through a copy role. The steps below need to be followed after your AWS Account has been prepared. If the existing Redshift cluster is in the same AWS account as the Datacoral account, Datacoral will create a Redshift Copy Role with correct permissions.
1. Retrieve Redshift Copy Role Arn
Navigate to CloudFormation console in AWS, and search for "copyrole" to find a successful CF stack for the Datacoral Redshift Copy Role. Click on Outputs to find the Redshift Copy Role ARN.
2. Modify the Redshift cluster to use Copy Role
- Navigate to Redshift console at https://console.aws.amazon.com/redshift/.
- In the navigation pane, choose Clusters.
- In the list, choose the cluster that you want to manage IAM role associations for.
- Choose Manage IAM Roles.
- For Available roles, choose the Redshift Copy Role ARN that was looked up in the above step.
- Choose Apply Changes to update the IAM roles that are associated with the cluster.
3. Delete S3ReadOnly IAM user
Navigate to the IAM console in AWS, and search for user with the string 'DatacoralS3ReadOnlyUser' in the name. Delete the AWS user from the console.