Connect to Amazon Redshift - AWS App Studio
Create and configure Amazon Redshift resourcesCreate an IAM role to give App Studio access to Amazon Redshift resourcesCreate Amazon Redshift connectorRequired IAM permissions for Amazon Redshift

AWS App Studio is in preview and is subject to change.

Connect to Amazon Redshift

To connect App Studio with Amazon Redshift to enable builders to access and use Amazon Redshift resources in applications, you must perform the following steps:

  1. Create and configure Amazon Redshift resources

  2. Create an IAM role to give App Studio access to Amazon Redshift resources

  3. Create Amazon Redshift connector

Create and configure Amazon Redshift resources

Use the following procedure to create and configure Amazon Redshift resources to be used with App Studio.

To set up Amazon Redshift for use with App Studio

  1. Sign in to the AWS Management Console and open the Amazon Redshift console at https://console.aws.amazon.com/redshiftv2/.

    We recommend using the administrative user created in Create an administrative user for managing AWS resources.

  2. Create a Redshift Serverless data warehouse or a provisiond cluster. For more information, see Creating a data warehouse with Redshift Serverless or Creating a cluster in the Amazon Redshift User Guide.

  3. Once provisioning is complete, choose Query Data to open the query editor. Connect to your database.

  4. Change the following settings:

    1. Set Isolated session toggle to OFF. This is needed so that you can see data changes made by other users, such as from a running App Studio application.

    2. Choose the “gear” icon. Choose Account settings. Increase Maximum concurrent connections to 10. This is the limit on the number of query editor sessions that can connect to a Amazon Redshift database. It does not apply to other clients such as App Studio applications.

  5. Create your data tables under the public schema. INSERT any initial data into these tables.

  6. Run the following commands in query editor:

    CREATE USER "IAMR:AppBuilderDataAccessRole" WITH PASSWORD DISABLE;
    GRANT ALL ON ALL TABLES IN SCHEMA public to "IAMR:AppBuilderDataAccessRole";

Create an IAM role to give App Studio access to Amazon Redshift resources

To use Amazon Redshift resources with App Studio, administrators must create an IAM role to give App Studio permissions to access the resources. The IAM role controls the scope of data that builders can use and what operations can be called against that data, such as Create, Read, Update, or Delete.

We recommend creating at least one IAM role per service and policy. For example, if builders are creating two applications backed by the same tables in Amazon Redshift, one that only requires read access, and one that requires read, create, update and delete; an administrator should create two IAM roles, one using read only permissions, and one with full CRUD permissions to the applicable tables in Amazon Redshift.

To create an IAM role to give App Studio access to Amazon Redshift resources

  1. Sign in to the IAM console with a user that has permissions to create IAM roles. We recommend using the administrative user created in Create an administrative user for managing AWS resources.

  2. In the navigation pane of the console, choose Roles and then choose Create role.

  3. In Trusted entity type, choose Custom trust policy.

  4. Replace the default policy with the following policy to allow App Studio applications to assume this role in your account.

    You must replace 111122223333 with the AWS account number of the account used to set up the App Studio instance.

    { 
    "Version": "2012-10-17",
    "Statement": [
        { 
            "Effect": "Allow",
            "Principal": { 
                "AWS": "arn:aws:iam::111122223333:root"
            }, 
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                        "aws:PrincipalTag/IsAppStudioAccessRole": "true"
                }
            }
        } 
    ]
}

    Choose Next.

  5. In Add permissions, search for and select the policies that grant the appropriate permissions for the role. Choosing the + next to a policy will expand the policy to show the permissions granted by it and choosing the checkbox selects the policy..

    For Amazon Redshift, you may consider adding the following policies:

    • AmazonRedshiftFullAccess: Grants full access to all Amazon Redshift resources. Additionally, this policy grants full access to all Redshift Serverless resources.

    • AmazonRedshiftDataFullAccess: Grants full access to the Redshift Data API operations and resources.

    For more information about using IAM policies with Amazon Redshift, including a list of managed policies and their descriptions, see Using identity-based policies (IAM policies) for Amazon Redshift in the Amazon Redshift Management Guide.

    Choose Next.

  6. In Role details, provide a name and description.

  7. In Step 3: Add tags, choose Add new tag to add the following tag to provide App Studio access:

    • Key: IsAppStudioDataAccessRole

    • Value: true

  8. Choose Create role and make note of the generated Amazon Resource Name (ARN), you will need it when creating the Amazon Redshift connector in App Studio.

Create Amazon Redshift connector

To create a connector for Amazon Redshift

  1. Navigate to App Studio.

  2. In the left-side navigation pane, choose Connectors in the Manage section. You will be taken to a page displaying a list of existing connectors with some details about each.

  3. Choose + Create connector.

  4. Choose the Amazon Redshift connector.

  5. Configure your connector by filling out the following fields:

    • Name: Provide a name for your connector.

    • Description: Provide a description for your connector.

    • IAM Role: Enter the Amazon Resource Name (ARN) from the IAM role created in Create an IAM role to give App Studio access to Amazon Redshift resources. For more information about IAM, see the IAM User Guide.

    • Region: Choose the AWS Region where your Amazon Redshift resources are located.

    • Compute type: Choose if you are using Amazon Redshift Serverless or a provisioned cluster.

    • Cluster or Workgroup selection: If Provisioned is chosen, choose the cluster you want to connect to App Studio. If Serverless is chosen, choose the workgroup.

    • Database selection: Choose the database you want to connect to App Studio.

    • Available tables: Select the tables you want to connect to App Studio.

  6. Choose Next. Review the connection information and choose Create.

  7. The newly created connector will appear in the connectors list.

Required IAM permissions for Amazon Redshift

The following table contains the minimum permissions that an IAM role must contain to use Amazon Redshift resources with App Studio. For more information about creating customer managed policies and attaching them an IAM role, see Create IAM policies (console).

Access type Required permissions

Read only (Provisioned)

 
redshift:DescribeClusters
redshift:GetClusterCredentialsWithIAM
redshift-data:ListDatabases
redshift-data:ListTables
redshift-data:DescribeTable

Full access (Provisioned)

 
redshift:DescribeClusters
redshift:GetClusterCredentialsWithIAM
redshift-data:ListDatabases
redshift-data:ListTables
redshift-data:DescribeTable
redshift-data:DescribeStatement
redshift-data:ExecuteStatement
redshift-data:GetStatementResult

Read only (Serverless)

 
redshift-serverless:ListNamespaces
redshift-serverless:GetCredentials
redshift-serverless:ListWorkgroups
redshift-data:ListDatabases
redshift-data:ListTables
redshift-data:DescribeTable

Full access (Serverless)

 
redshift-serverless:ListNamespaces
redshift-serverless:GetCredentials
redshift-serverless:ListWorkgroups
redshift-data:ListDatabases
redshift-data:ListTables
redshift-data:DescribeTable
redshift-data:DescribeStatement
redshift-data:ExecuteStatement
redshift-data:GetStatementResult