Amazon Redshift will no longer support the creation of new Python UDFs starting Patch 198. Existing Python UDFs will continue to function until June 30, 2026. For more information, see the [ blog post ](https://aws.amazon.com/blogs/big-data/amazon-redshift-python-user-defined-functions-will-reach-end-of-support-after-june-30-2026/).
# Authorizing Amazon Redshift to access AWS services on your behalf
Some Amazon Redshift features require Amazon Redshift to access other AWS services on your behalf. For example, the [COPY](https://docs.aws.amazon.com/redshift/latest/dg/r_COPY.html) and [UNLOAD](https://docs.aws.amazon.com/redshift/latest/dg/r_UNLOAD.html) commands can load or unload data into your Amazon Redshift cluster using an Amazon S3 bucket. The [CREATE EXTERNAL FUNCTION](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html) command can invoke an AWS Lambda function using a scalar Lambda user-defined function (UDF). Amazon Redshift Spectrum can use a data catalog in Amazon Athena or AWS Glue. For your Amazon Redshift clusters to act on your behalf, you supply security credentials to your clusters. The preferred method to supply security credentials is to specify an AWS Identity and Access Management (IAM) role. For COPY and UNLOAD, you can provide temporary credentials.
Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS.
To grant users programmatic access, choose one of the following options.
****
| Which user needs programmatic access? | To | By |
| --- | --- | --- |
| IAM | (Recommended) Use console credentials as temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html) |
| Workforce identity (Users managed in IAM Identity Center) | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html) |
| IAM | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions in [Using temporary credentials with AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the IAM User Guide. |
| IAM | (Not recommended)Use long-term credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html) |
Following, find out how to create an IAM role with the appropriate permissions to access other AWS services. You also need to associate the role with your cluster and specify the Amazon Resource Name (ARN) of the role when you run the Amazon Redshift command. For more information, see [Authorizing COPY, UNLOAD, CREATE EXTERNAL FUNCTION, and CREATE EXTERNAL SCHEMA operations using IAM rolesAuthorizing operations using IAM roles](copy-unload-iam-role.md).
In addition, a superuser can grant the ASSUMEROLE privilege to specific users and groups to provide access to a role for COPY and UNLOAD operations. For information, see [GRANT](https://docs.aws.amazon.com/redshift/latest/dg/r_GRANT.html) in the *Amazon Redshift Database Developer Guide*.
## Creating an IAM role to allow your Amazon Redshift cluster to access AWS services
## Creating an IAM role with permissions
To create an IAM role to permit your Amazon Redshift cluster to communicate with other AWS services on your behalf, take the following steps. The values used in this section are examples, you can choose values based on your needs.
**To create an IAM role to allow Amazon Redshift to access AWS services**
1. Open the [IAM console](https://console.aws.amazon.com/iam/home?#home).
1. In the navigation pane, choose **Roles**.
1. Choose **Create role**.
1. Choose **AWS service**, and then choose **Redshift**.
1. Under **Select your use case**, choose **Redshift - Customizable** and then choose **Next: Permissions**. The **Attach permissions policy** page appears.
1. For access to Amazon S3 using COPY, as an example, you can use **AmazonS3ReadOnlyAccess** and append. For access to Amazon S3 using COPY or UNLOAD, we suggest that you can create managed policies that restrict access to the desired bucket and prefix accordingly. For both read and write operations, we recommend enforcing the least privileges and restricting to only the Amazon S3 buckets and key prefixes that Amazon Redshift requires.
For access to invoke Lambda functions for the CREATE EXTERNAL FUNCTION command, add **AWSLambdaRole**.
For Redshift Spectrum, in addition to Amazon S3 access, add **AWSGlueConsoleFullAccess** or **AmazonAthenaFullAccess**.
Choose **Next: Tags**.
1. The **Add tags** page appears. You can optionally add tags. Choose **Next: Review**.
1. For **Role name**, type a name for your role, for example **RedshiftCopyUnload**. Choose ****Create role****.
1. The new role is available to all users on clusters that use the role. To restrict access to only specific users on specific clusters, or to clusters in specific regions, edit the trust relationship for the role. For more information, see [Restricting access to IAM roles](authorizing-redshift-service-database-users.md).
1. Associate the role with your cluster. You can associate an IAM role with a cluster when you create the cluster, or you add the role to an existing cluster. For more information, see [Associating IAM roles with clusters](copy-unload-iam-role-associating-with-clusters.md).
**Note**
To restrict access to specific data, use an IAM role that grants the least privileges required.
# Restricting access to IAM roles
By default, IAM roles that are available to an Amazon Redshift cluster are available to all users on that cluster. You can choose to restrict IAM roles to specific Amazon Redshift database users on specific clusters or to specific regions.
To permit only specific database users to use an IAM role, take the following steps.
**To identify specific database users with access to an IAM role**
1. Identify the Amazon Resource Name (ARN) for the database users in your Amazon Redshift cluster. The ARN for a database user is in the format: `arn:aws:redshift:region:account-id:dbuser:cluster-name/user-name`.
For Amazon Redshift Serverless use the following ARN format. `arn:aws:redshift:region:account-id:dbuser:serverless-account-id-workgroup-id/user-name`
1. Open the [IAM console](https://console.aws.amazon.com/iam/home?#home).
1. In the navigation pane, choose **Roles**.
1. Choose the IAM role that you want to restrict to specific Amazon Redshift database users.
1. Choose the **Trust Relationships** tab, and then choose **Edit Trust Relationship**. A new IAM role that allows Amazon Redshift to access other AWS services on your behalf has a trust relationship as follows:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "redshift.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. Add a condition to the `sts:AssumeRole` action section of the trust relationship that limits the `sts:ExternalId` field to values that you specify. Include an ARN for each database user that you want to grant access to the role. The external ID can be any unique string.
For example, the following trust relationship specifies that only database users `user1` and `user2` on cluster `my-cluster` in region `us-west-2` have permission to use this IAM role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "redshift.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": [
"arn:aws:redshift:us-west-2:123456789012:dbuser:my-cluster/user1",
"arn:aws:redshift:us-west-2:123456789012:dbuser:my-cluster/user2"
]
}
}
}]
}
```
------
1. Choose **Update Trust Policy**.
# Restricting an IAM role to an AWS Region
You can restrict an IAM role to only be accessible in a certain AWS Region. By default, IAM roles for Amazon Redshift are not restricted to any single region.
To restrict use of an IAM role by region, take the following steps.
**To identify permitted regions for an IAM role**
1. Open the [IAM console](https://console.aws.amazon.com/iam/home?#home) at [https://console.aws.amazon.com/](https://console.aws.amazon.com/).
1. In the navigation pane, choose **Roles**.
1. Choose the role that you want to modify with specific regions.
1. Choose the **Trust Relationships** tab and then choose **Edit Trust Relationship**. A new IAM role that allows Amazon Redshift to access other AWS services on your behalf has a trust relationship as follows:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "redshift.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. Modify the `Service` list for the `Principal` with the list of the specific regions that you want to permit use of the role for. Each region in the `Service` list must be in the following format: `redshift.region.amazonaws.com`.
For example, the following edited trust relationship permits the use of the IAM role in the `us-east-1` and `us-west-2` regions only.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"redshift.us-east-1.amazonaws.com",
"redshift.us-west-2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. Choose **Update Trust Policy**
# Chaining IAM roles in Amazon Redshift
When you attach a role to your cluster, your cluster can assume that role to access Amazon S3, Amazon Athena, AWS Glue, and AWS Lambda on your behalf. If a role attached to your cluster doesn't have access to the necessary resources, you can chain another role, possibly belonging to another account. Your cluster then temporarily assumes the chained role to access the data. You can also grant cross-account access by chaining roles. Each role in the chain assumes the next role in the chain, until the cluster assumes the role at the end of chain. The maximum number of IAM roles that you can associate is subject to a quota. For more information, see the quota "Cluster IAM roles for Amazon Redshift to access other AWS services" in [Quotas for Amazon Redshift objects](amazon-redshift-limits.md#amazon-redshift-limits-quota).
**Note**
You must specify the IAM roles in order for the chain to work correctly.
For example, suppose Company A wants to access data in an Amazon S3 bucket that belongs to Company B. Company A creates an AWS service role for Amazon Redshift named `RoleA` and attaches it to their cluster. Company B creates a role named `RoleB` that's authorized to access the data in the Company B bucket. To access the data in the Company B bucket, Company A runs a COPY command using an `iam_role` parameter that chains `RoleA` and `RoleB`. For the duration of the COPY operation, `RoleA` temporarily assumes `RoleB` to access the Amazon S3 bucket.
To chain roles, you establish a trust relationship between the roles. A role that assumes another role (for example, `RoleA`) must have a permissions policy that allows it to assume the next chained role (for example, `RoleB`). In turn, the role that passes permissions (`RoleB`) must have a trust policy that allows it to pass its permissions to the previous chained role (`RoleA`). For more information, see [Using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the IAM User Guide.
The first role in the chain must be a role attached to the cluster. The first role, and each subsequent role that assumes the next role in the chain, must have a policy that includes a specific statement. This statement has the `Allow` effect on the `sts:AssumeRole `action and the Amazon Resource Name (ARN) of the next role in a `Resource` element. In our example, `RoleA` has the following permission policy that allows it to assume `RoleB`, owned by AWS account `210987654321`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Stmt1487639602000",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::111122223333:role/RoleB"
}
]
}
```
------
A role that passes to another role must establish a trust relationship with the role that assumes the role or with the AWS account that owns the role. In our example, `RoleB` has the following trust policy to establish a trust relationship with `RoleA`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/RoleA"
}
}
]
}
```
------
The following trust policy establishes a trust relationship with the owner of `RoleA`, AWS account `123456789012`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
}
```
------
**Note**
To restrict role chaining authorization to specific users, define a condition. For more information, see [Restricting access to IAM roles](authorizing-redshift-service-database-users.md).
When you run an UNLOAD, COPY, CREATE EXTERNAL FUNCTION, or CREATE EXTERNAL SCHEMA command, you chain roles by including a comma-separated list of role ARNs in the `iam_role` parameter. The following shows the syntax for chaining roles in the `iam_role` parameter.
```
unload ('select * from venue limit 10')
to 's3://acmedata/redshift/venue_pipe_'
IAM_ROLE 'arn:aws:iam:::role/[,arn:aws:iam:::role/][,...]';
```
**Note**
The entire role chain is enclosed in single quotes and must not contain spaces.
In the following examples, `RoleA` is attached to the cluster belonging to AWS account `123456789012`. `RoleB`, which belongs to account `210987654321`, has permission to access the bucket named `s3://companyb/redshift/`. The following example chains `RoleA` and `RoleB` to UNLOAD data to the s3://companyb/redshift/ bucket.
```
unload ('select * from venue limit 10')
to 's3://companyb/redshift/venue_pipe_'
iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';
```
The following example uses a COPY command to load the data that was unloaded in the previous example.
```
copy venue
from 's3://companyb/redshift/venue_pipe_'
iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';
```
In the following example, CREATE EXTERNAL SCHEMA uses chained roles to assume the role `RoleB`.
```
create external schema spectrumexample from data catalog
database 'exampledb' region 'us-west-2'
iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';
```
In the following example, CREATE EXTERNAL FUNCTION uses chained roles to assume the role `RoleB`.
```
create external function lambda_example(varchar)
returns varchar
volatile
lambda 'exampleLambdaFunction'
iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';
```
# Authorizing COPY, UNLOAD, CREATE EXTERNAL FUNCTION, and CREATE EXTERNAL SCHEMA operations using IAM roles
You can use the [COPY](https://docs.aws.amazon.com/redshift/latest/dg/r_COPY.html) command to load (or import) data into Amazon Redshift and the [UNLOAD](https://docs.aws.amazon.com/redshift/latest/dg/r_UNLOAD.html) command to unload (or export) data from Amazon Redshift. You can use the CREATE EXTERNAL FUNCTION command to create user-defined functions that invoke functions from AWS Lambda.
When you use Amazon Redshift Spectrum, you use the [CREATE EXTERNAL SCHEMA](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_SCHEMA.html) command to specify the location of an Amazon S3 bucket that contains your data. When you run the COPY, UNLOAD, or CREATE EXTERNAL SCHEMA commands, you provide security credentials. These credentials authorize your Amazon Redshift cluster to read or write data to and from your target destination, such as an Amazon S3 bucket.
When you run the CREATE EXTERNAL FUNCTION, you provide security credentials using the IAM role parameter. These credentials authorize your Amazon Redshift cluster to invoke Lambda functions from AWS Lambda. The preferred method to supply security credentials is to specify an AWS Identity and Access Management (IAM) role. For COPY and UNLOAD, you can provide temporary credentials. For information about creating an IAM role, see [Authorizing Amazon Redshift to access AWS services on your behalf](authorizing-redshift-service.md).
Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS.
To grant users programmatic access, choose one of the following options.
****
| Which user needs programmatic access? | To | By |
| --- | --- | --- |
| IAM | (Recommended) Use console credentials as temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/copy-unload-iam-role.html) |
| Workforce identity (Users managed in IAM Identity Center) | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/copy-unload-iam-role.html) |
| IAM | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions in [Using temporary credentials with AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the IAM User Guide. |
| IAM | (Not recommended)Use long-term credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/copy-unload-iam-role.html) |
The steps for using an IAM role are as follows:
+ Create an IAM role for use with your Amazon Redshift cluster.
+ Associate the IAM role with the cluster.
+ Include the IAM role's ARN when you call the COPY, UNLOAD, CREATE EXTERNAL SCHEMA, or CREATE EXTERNAL FUNCTION command.
# Associating IAM roles with clusters
After you have created an IAM role that authorizes Amazon Redshift to access other AWS services for you, you must associate that role with an Amazon Redshift cluster. You must do this before you can use the role to load or unload data.
## Permissions required to associate an IAM role with a cluster
To associate an IAM role with a cluster, a user must have `iam:PassRole` permission for that IAM role. This permission allows an administrator to restrict which IAM roles a user can associate with Amazon Redshift clusters. As a best practice, we recommend attaching permissions policies to an IAM role and then assigning it to users and groups as needed. For more information, see [Identity and access management in Amazon Redshift](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-authentication-access-control.html).
The following example shows an IAM policy that can be attached to a user that allows the user to take these actions:
+ Get the details for all Amazon Redshift clusters owned by that user's account.
+ Associate any of three IAM roles with either of two Amazon Redshift clusters.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "redshift:DescribeClusters",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"redshift:ModifyClusterIamRoles",
"redshift:CreateCluster"
],
"Resource": [
"arn:aws:redshift:us-east-1:123456789012:cluster:my-redshift-cluster",
"arn:aws:redshift:us-east-1:123456789012:cluster:my-second-redshift-cluster"
]
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::123456789012:role/MyRedshiftRole",
"arn:aws:iam::123456789012:role/SecondRedshiftRole",
"arn:aws:iam::123456789012:role/ThirdRedshiftRole"
]
}
]
}
```
------
After a user has the appropriate permissions, that user can associate an IAM role with an Amazon Redshift cluster. The IAM role is then ready to use with the COPY or UNLOAD command or other Amazon Redshift commands.
For more information on IAM policies, see [Overview of IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
## Managing IAM role association with a cluster
You can associate an IAM role with an Amazon Redshift cluster when you create the cluster. Or you can modify an existing cluster and add or remove one or more IAM role associations.
Be aware of the following:
+ The maximum number of IAM roles that you can associate is subject to a quota.
+ An IAM role can be associated with multiple Amazon Redshift clusters.
+ An IAM role can be associated with an Amazon Redshift cluster only if both the IAM role and the cluster are owned by the same AWS account.
You can manage IAM role associations for a cluster with the console by using the following procedure.
**To manage IAM role associations**
1. Sign in to the AWS Management Console and open the Amazon Redshift console at [https://console.aws.amazon.com/redshiftv2/](https://console.aws.amazon.com/redshiftv2/).
1. On the navigation menu, choose **Clusters**, then choose the cluster that you want to update.
1. For **Actions**, choose **Manage IAM roles** to display the current list IAM roles associated with the cluster.
1. On the **Manage IAM roles** page, choose the available IAM roles to add, and then choose **Add IAM role**.
1. Choose **Done** to save your changes.
You can manage IAM role associations for a cluster with the AWS CLI by using the following approaches.
To associate an IAM role with a cluster when the cluster is created, specify the Amazon Resource Name (ARN) of the IAM role for the `--iam-role-arns` parameter of the `create-cluster` command. The maximum number of IAM roles that you can add when calling the `create-cluster` command is subject to a quota.
Associating and disassociating IAM roles with Amazon Redshift clusters is an asynchronous process. You can get the status of all IAM role cluster associations by calling the `describe-clusters` command.
The following example associates two IAM roles with the newly created cluster named `my-redshift-cluster`.
```
aws redshift create-cluster \
--cluster-identifier "my-redshift-cluster" \
--node-type "ra3.4xlarge" \
--number-of-nodes 16 \
--iam-role-arns "arn:aws:iam::123456789012:role/RedshiftCopyUnload" \
"arn:aws:iam::123456789012:role/SecondRedshiftRole"
```
To associate an IAM role with an existing Amazon Redshift cluster, specify the Amazon Resource Name (ARN) of the IAM role for the `--add-iam-roles` parameter of the `modify-cluster-iam-roles` command. The maximum number of IAM roles that you can add when calling the `modify-cluster-iam-roles` command is subject to a quota.
The following example associates an IAM role with an existing cluster named `my-redshift-cluster`.
```
aws redshift modify-cluster-iam-roles \
--cluster-identifier "my-redshift-cluster" \
--add-iam-roles "arn:aws:iam::123456789012:role/RedshiftCopyUnload"
```
To disassociate an IAM role from a cluster, specify the ARN of the IAM role for the `--remove-iam-roles` parameter of the `modify-cluster-iam-roles` command. `modify-cluster-iam-roles` The maximum number of IAM roles that you can remove when calling the `modify-cluster-iam-roles` command is subject to a quota.
The following example removes the association for an IAM role for the `123456789012` AWS account from a cluster named `my-redshift-cluster`.
```
aws redshift modify-cluster-iam-roles \
--cluster-identifier "my-redshift-cluster" \
--remove-iam-roles "arn:aws:iam::123456789012:role/RedshiftCopyUnload"
```
### Listing IAM role associations for a cluster using the AWS CLI
To list all of the IAM roles that are associated with an Amazon Redshift cluster, and the status of the IAM role association, call the `describe-clusters` command. The ARN for each IAM role associated with the cluster is returned in the `IamRoles` list as shown in the following example output.
Roles that have been associated with the cluster show a status of `in-sync`. Roles that are in the process of being associated with the cluster show a status of `adding`. Roles that are being disassociated from the cluster show a status of `removing`.
```
{
"Clusters": [
{
"ClusterIdentifier": "my-redshift-cluster",
"NodeType": "ra3.4xlarge",
"NumberOfNodes": 16,
"IamRoles": [
{
"IamRoleArn": "arn:aws:iam::123456789012:role/MyRedshiftRole",
"IamRoleApplyStatus": "in-sync"
},
{
"IamRoleArn": "arn:aws:iam::123456789012:role/SecondRedshiftRole",
"IamRoleApplyStatus": "in-sync"
}
],
...
},
{
"ClusterIdentifier": "my-second-redshift-cluster",
"NodeType": "ra3.4xlarge",
"NumberOfNodes": 10,
"IamRoles": [
{
"IamRoleArn": "arn:aws:iam::123456789012:role/MyRedshiftRole",
"IamRoleApplyStatus": "in-sync"
},
{
"IamRoleArn": "arn:aws:iam::123456789012:role/SecondRedshiftRole",
"IamRoleApplyStatus": "in-sync"
},
{
"IamRoleArn": "arn:aws:iam::123456789012:role/ThirdRedshiftRole",
"IamRoleApplyStatus": "in-sync"
}
],
...
}
]
}
```
For more information on using the AWS CLI, see *[AWS CLI User Guide](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html)*.
# Creating an IAM role as default for Amazon Redshift
When you create IAM roles through the Redshift console, Amazon Redshift programmatically creates the roles in your AWS account and automatically attaches existing AWS managed policies to them. This approach means that you can stay within the Redshift console and don't have to switch to the IAM console for role creation. For more granular control of permissions for an existing IAM role that was created in the Amazon Redshift console, you can attach a customized managed policy to the IAM role.
## IAM roles created in the console
When you use the Amazon Redshift console to create IAM roles, Amazon Redshift tracks all IAM roles created through the console. Amazon Redshift preselects the most recent default IAM role for creating all new clusters and restoring clusters from snapshots.
You can create an IAM role through the console that has a policy with permissions to run SQL commands. These commands include COPY, UNLOAD, CREATE EXTERNAL FUNCTION, CREATE EXTERNAL TABLE, CREATE EXTERNAL SCHEMA, CREATE MODEL, or CREATE LIBRARY. Optionally, you can get more granular control of user access to your AWS resources by creating and attaching custom policies to the IAM role.
When you created an IAM role and set it as the default for the cluster using console, you don't have to provide the IAM role's Amazon Resource Name (ARN) to perform authentication and authorization.
The IAM role that you create through the console for your cluster has the `AmazonRedshiftAllCommandsFullAccess` managed policy automatically attached. This IAM role allows Amazon Redshift to copy, unload, query, and analyze data for AWS resources in your IAM account. The managed policy provides access to [COPY](https://docs.aws.amazon.com/redshift/latest/dg/copy-parameters-authorization.html), [UNLOAD](https://docs.aws.amazon.com/redshift/latest/dg/r_UNLOAD.html), [CREATE EXTERNAL FUNCTION](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html), [CREATE EXTERNAL SCHEMA](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_SCHEMA.html), [CREATE MODEL](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_MODEL.html), and [CREATE LIBRARY](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_LIBRARY.html) operations. The policy also grants permissions to run SELECT statements for related AWS services, such as Amazon S3, Amazon CloudWatch Logs, Amazon SageMaker AI, and AWS Glue.
The CREATE EXTERNAL FUNCTION, CREATE EXTERNAL SCHEMA, CREATE MODEL, and CREATE LIBRARY commands have a `default` keyword. For this keyword for these commands, Amazon Redshift uses the IAM role that is set as the default and associated with the cluster when the command runs. You can run the [DEFAULT\$1IAM\$1ROLE](https://docs.aws.amazon.com/redshift/latest/dg/r_DEFAULT_IAM_ROLE.html) command to check the current default IAM role that is attached to the cluster.
To control access privileges of the IAM role created and set as default for your Redshift cluster, use the ASSUMEROLE privilege. This access control applies to database users and groups when they run commands such as the ones listed preceding. After you grant the ASSUMEROLE privilege to a user or group for the IAM role, the user or group can assume that role when running these commands. By using the ASSUMEROLE privilege, you can grant access to the appropriate commands as required.
Using the Amazon Redshift console, you can do the following:
+ [Creating an IAM role as the default](#create-iam)
+ [Removing IAM roles from your cluster](#remove-iam)
+ [Associating IAM roles with your cluster](#associate-iam)
+ [Setting an IAM role as the default](#set-default-iam)
+ [Making an IAM role no longer default for your cluster](#clear-default-iam)
## Permissions of the AmazonRedshiftAllCommandsFullAccess managed policy
The following example shows the permissions in the `AmazonRedshiftAllCommandsFullAccess` managed policy that allow certain actions for the IAM role that is set as default for your cluster. The IAM role with permission policies attached authorizes what a user or group can and can't do. Given these permissions, you can run the COPY command from Amazon S3, run UNLOAD, and use the CREATE MODEL command.
```
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetEncryptionConfiguration",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
"s3:PutBucketAcl",
"s3:PutBucketCors",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::redshift-downloads",
"arn:aws:s3:::redshift-downloads/*",
"arn:aws:s3:::*redshift*",
"arn:aws:s3:::*redshift*/*"
]
}
```
The following example shows the permissions in the `AmazonRedshiftAllCommandsFullAccess` managed policy that allow certain actions for the IAM role that is set as default for the cluster. The IAM role with permission policies attached authorizes what a user or group can and can't do. Given the following permissions, you can run the CREATE EXTERNAL FUNCTION command.
```
{
"Action": [
"lambda:InvokeFunction"
],
"Resource": "arn:aws:lambda:*:*:function:*redshift*"
}
```
The following example shows the permissions in the `AmazonRedshiftAllCommandsFullAccess` managed policy that allow certain actions for the IAM role that is set as default for the cluster. The IAM role with permission policies attached authorizes what a user or group can and can't do. Given the following permissions, you can run the CREATE EXTERNAL SCHEMA and CREATE EXTERNAL TABLE commands needed for Amazon Redshift Spectrum.
```
{
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateTable",
"glue:DeleteTable",
"glue:BatchDeleteTable",
"glue:UpdateTable",
"glue:GetTable",
"glue:GetTables",
"glue:BatchCreatePartition",
"glue:CreatePartition",
"glue:DeletePartition",
"glue:BatchDeletePartition",
"glue:UpdatePartition",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition"
],
"Resource": [
"arn:aws:glue:*:*:table/*redshift*/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*redshift*"
]
}
```
The following example shows the permissions in the `AmazonRedshiftAllCommandsFullAccess` managed policy that allow certain actions for the IAM role set as default for the cluster. The IAM role with permission policies attached authorizes what a user or group can and can't do. Given the following permissions, you can run the CREATE EXTERNAL SCHEMA command using federated queries.
```
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:*Redshift*"
]
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword",
"secretsmanager:ListSecrets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/Redshift": "true"
}
}
},
```
## Managing IAM roles created for a cluster using the console
To create, modify, and remove IAM roles created from the Amazon Redshift console, use the **Clusters** section in the console.
### Creating an IAM role as the default
On the console, you can create an IAM role for your cluster that has the `AmazonRedshiftAllCommandsFullAccess` policy automatically attached. The new IAM role that you create allows Amazon Redshift to copy, load, query, and analyze data from Amazon resources in your IAM account.
There can only be one IAM role set as the default for the cluster. If you create another IAM role as the cluster default when an existing IAM role is currently assigned as the default, the new IAM role replaces the other one as default.
**To create a new cluster and an IAM role set as the default for the new cluster**
1. Sign in to the AWS Management Console and open the Amazon Redshift console at [https://console.aws.amazon.com/redshiftv2/](https://console.aws.amazon.com/redshiftv2/).
1. On the navigation menu, choose **Clusters**. The clusters for your account in the current AWS Region are listed. A subset of properties of each cluster is displayed in columns in the list.
1. Choose **Create cluster** to create a cluster.
1. Follow the instructions on the console page to enter the properties for **Cluster configuration**. For more information about this step, see [Creating a cluster](create-cluster.md).
1. (Optional) Choose **Load sample data** to load the sample data set to your Amazon Redshift cluster to start using the query editor to query data.
If you are behind a firewall, the database port must be an open port that accepts inbound connections.
1. Follow the instructions on the console page to enter properties for **Database configurations**.
1. Under **Cluster permissions**, from **Manage IAM roles**, choose **Create IAM role**.
1. Specify an Amazon S3 bucket for the IAM role to access by choosing one of the following methods:
+ Choose **No additional Amazon S3 bucket** to create the IAM role without specifying specific Amazon S3 buckets.
+ Choose **Any Amazon S3 bucket** to allow users that have access to your Amazon Redshift cluster to also access any Amazon S3 bucket and its contents in your AWS account.
+ Choose **Specific Amazon S3 buckets** to specify one or more Amazon S3 buckets that the IAM role being created has permission to access. Then choose one or more Amazon S3 buckets from the table.
1. Choose **Create IAM role as default**. Amazon Redshift automatically creates and sets the IAM role as the default for your cluster.
1. Choose **Create cluster** to create the cluster. The cluster might take several minutes to be ready to use.
### Removing IAM roles from your cluster
You can remove one or more IAM roles from your cluster.
**To remove IAM roles from your cluster**
1. Sign in to the AWS Management Console and open the Amazon Redshift console at [https://console.aws.amazon.com/redshiftv2/](https://console.aws.amazon.com/redshiftv2/).
1. On the navigation menu, choose **Clusters**. The clusters for your account in the current AWS Region are listed. A subset of properties of each cluster is displayed in columns in the list.
1. Choose the cluster that you want to remove the IAM role from.
1. Under **Cluster permissions**, choose one or more IAM roles that you want to remove from the cluster.
1. From **Manage IAM roles**, choose **Remove IAM roles**.
### Associating IAM roles with your cluster
You can associate one or more IAM roles with your cluster.
**To associate IAM roles with your cluster**
1. Sign in to the AWS Management Console and open the Amazon Redshift console at [https://console.aws.amazon.com/redshiftv2/](https://console.aws.amazon.com/redshiftv2/).
1. On the navigation menu, choose **Clusters**. The clusters for your account in the current AWS Region are listed. A subset of properties of each cluster is displayed in columns in the list.
1. Choose the cluster that you want to associate IAM roles with.
1. Under **Cluster permissions**, choose one or more IAM roles that you want to associate with the cluster.
1. From **Manage IAM roles**, choose **Associate IAM roles**.
1. Choose one ore more IAM roles to associate with your cluster.
1. Choose **Associate IAM roles**.
### Setting an IAM role as the default
You can set an IAM role as the default for your cluster.
**To make an IAM role the default for your cluster**
1. Sign in to the AWS Management Console and open the Amazon Redshift console at [https://console.aws.amazon.com/redshiftv2/](https://console.aws.amazon.com/redshiftv2/).
1. On the navigation menu, choose **Clusters**. The clusters for your account in the current AWS Region are listed. A subset of properties of each cluster is displayed in columns in the list.
1. Choose the cluster that you want to set a default IAM role for.
1. Under **Cluster permissions**, from **Associated IAM roles**, choose an IAM role that you want make as default for the cluster.
1. Under **Set default**, choose **Make default**.
1. When prompted, choose **Set default** to confirm making the specified IAM role as the default.
### Making an IAM role no longer default for your cluster
You can make an IAM role no longer the default for your cluster.
**To clear an IAM role as the default for your cluster**
1. Sign in to the AWS Management Console and open the Amazon Redshift console at [https://console.aws.amazon.com/redshiftv2/](https://console.aws.amazon.com/redshiftv2/).
1. On the navigation menu, choose **Clusters**. The clusters for your account in the current AWS Region are listed. A subset of properties of each cluster is displayed in columns in the list.
1. Choose the cluster that you want to associate IAM roles with.
1. Under **Cluster permissions**, from **Associated IAM roles**, choose the default IAM role.
1. Under **Set default**, choose **Clear default**.
1. When prompted, choose **Clear default** to confirm clearing the specified IAM role as the default.
## Managing IAM roles created on the cluster using the AWS CLI
You can manage IAM roles created on the cluster using the AWS CLI.
### To create an Amazon Redshift cluster with an IAM role set as default
To create an Amazon Redshift cluster with an IAM role set it as the default for the cluster, use the `aws redshift create-cluster` AWS CLI command.
The following AWS CLI command creates an Amazon Redshift cluster and the IAM role named myrole1. The AWS CLI command also sets myrole1 as the default for the cluster.
```
aws redshift create-cluster \
--node-type dc2.large \
--number-of-nodes 2 \
--master-username adminuser \
--master-user-password TopSecret1 \
--cluster-identifier mycluster \
--iam-roles 'arn:aws:iam::012345678910:role/myrole1' 'arn:aws:iam::012345678910:role/myrole2' \
--default-iam-role-arn 'arn:aws:iam::012345678910:role/myrole1'
```
The following snippet is an example of the response.
```
{
"Cluster": {
"ClusterIdentifier": "mycluster",
"NodeType": "dc2.large",
"MasterUsername": "adminuser",
"DefaultIamRoleArn": "arn:aws:iam::012345678910:role/myrole1",
"IamRoles": [
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole1",
"ApplyStatus": "adding"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole2",
"ApplyStatus": "adding"
}
]
...
}
}
```
### To add one or more IAM roles to an Amazon Redshift cluster
To add one or more IAM roles associated to the cluster, use the `aws redshift modify-cluster-iam-roles` AWS CLI command.
The following AWS CLI command adds `myrole3` and `myrole4` to the cluster.
```
aws redshift modify-cluster-iam-roles \
--cluster-identifier mycluster \
--add-iam-roles 'arn:aws:iam::012345678910:role/myrole3' 'arn:aws:iam::012345678910:role/myrole4'
```
The following snippet is an example of the response.
```
{
"Cluster": {
"ClusterIdentifier": "mycluster",
"NodeType": "dc2.large",
"MasterUsername": "adminuser",
"DefaultIamRoleArn": "arn:aws:iam::012345678910:role/myrole1",
"IamRoles": [
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole1",
"ApplyStatus": "in-sync"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole2",
"ApplyStatus": "in-sync"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole3",
"ApplyStatus": "adding"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole4",
"ApplyStatus": "adding"
}
],
...
}
}
```
### To remove one or more IAM roles from an Amazon Redshift cluster
To remove one or more IAM roles associated to the cluster, use the `aws redshift modify-cluster-iam-roles` AWS CLI command.
The following AWS CLI command removes `myrole3` and `myrole4` from the cluster.
```
aws redshift modify-cluster-iam-roles \
--cluster-identifier mycluster \
--remove-iam-roles 'arn:aws:iam::012345678910:role/myrole3' 'arn:aws:iam::012345678910:role/myrole4'
```
The following snippet is an example of the response.
```
{
"Cluster": {
"ClusterIdentifier": "mycluster",
"NodeType": "dc2.large",
"MasterUsername": "adminuser",
"DefaultIamRoleArn": "arn:aws:iam::012345678910:role/myrole1",
"IamRoles": [
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole1",
"ApplyStatus": "in-sync"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole2",
"ApplyStatus": "in-sync"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole3",
"ApplyStatus": "removing"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole4",
"ApplyStatus": "removing"
}
],
...
}
}
```
### To set an associated IAM role as the default for the cluster
To set an associated IAM role as the default for the cluster, use the `aws redshift modify-cluster-iam-roles` AWS CLI command.
The following AWS CLI command sets `myrole2` as the default for the cluster.
```
aws redshift modify-cluster-iam-roles \
--cluster-identifier mycluster \
--default-iam-role-arn 'arn:aws:iam::012345678910:role/myrole2'
```
The following snippet is an example of the response.
```
{
"Cluster": {
"ClusterIdentifier": "mycluster",
"NodeType": "dc2.large",
"MasterUsername": "adminuser",
"DefaultIamRoleArn": "arn:aws:iam::012345678910:role/myrole2",
"IamRoles": [
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole1",
"ApplyStatus": "in-sync"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole2",
"ApplyStatus": "in-sync"
}
],
...
}
}
```
### To set an unassociated IAM role as the default for the cluster
To set an unassociated IAM role as the default for the cluster, use the `aws redshift modify-cluster-iam-roles` AWS CLI command.
The following AWS CLI command adds `myrole2` to the Amazon Redshift cluster and sets it as the default for the cluster.
```
aws redshift modify-cluster-iam-roles \
--cluster-identifier mycluster \
--add-iam-roles 'arn:aws:iam::012345678910:role/myrole3' \
--default-iam-role-arn 'arn:aws:iam::012345678910:role/myrole3'
```
The following snippet is an example of the response.
```
{
"Cluster": {
"ClusterIdentifier": "mycluster",
"NodeType": "dc2.large",
"MasterUsername": "adminuser",
"DefaultIamRoleArn": "arn:aws:iam::012345678910:role/myrole3",
"IamRoles": [
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole1",
"ApplyStatus": "in-sync"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole2",
"ApplyStatus": "in-sync"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole3",
"ApplyStatus": "adding"
}
],
...
}
}
```
### To restore a cluster from a snapshot and set an IAM role as the default for it
When you restore your cluster from a snapshot, you can either associate an existing IAM role or create a new one and set it as the default for the cluster.
To restore an Amazon Redshift cluster from a snapshot and set an IAM role as the cluster default, use the `aws redshift restore-from-cluster-snapshot` AWS CLI command.
The following AWS CLI command restores the cluster from a snapshot and sets `myrole2` as the default for the cluster.
```
aws redshift restore-from-cluster-snapshot \
--cluster-identifier mycluster-clone \
--snapshot-identifier my-snapshot-id
--iam-roles 'arn:aws:iam::012345678910:role/myrole1' 'arn:aws:iam::012345678910:role/myrole2' \
--default-iam-role-arn 'arn:aws:iam::012345678910:role/myrole1'
```
The following snippet is an example of the response.
```
{
"Cluster": {
"ClusterIdentifier": "mycluster-clone",
"NodeType": "dc2.large",
"MasterUsername": "adminuser",
"DefaultIamRoleArn": "arn:aws:iam::012345678910:role/myrole1",
"IamRoles": [
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole1",
"ApplyStatus": "adding"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole2",
"ApplyStatus": "adding"
}
],
...
}
}
```
# Using a federated identity to manage Amazon Redshift access to local resources and Amazon Redshift Spectrum external tables
Using identity federation in AWS with credentials provided from `GetDatabaseCredentials` can simplify authorization and access to local data and to external data. In this tutorial, we show you how to provide access to resources with AWS identity federation, instead of using a specific IAM role.
Currently, to give users access to external data that resides in Amazon S3, you create an IAM role with permissions defined in a permissions policy. Then, users with the role attached can access the external data. This works, but if you want to provide granular rules, such as making specific columns unavailable for a particular user, you may have to do additional configuration on the external schema.
Identity federation, with credentials provided from `GetDatabaseCredentials`, can provide access to AWS Glue and Redshift Spectrum resources with granular IAM rules that are easier to specify and change. This makes it easier to apply access that conforms to your business rules.
The benefits of using federated credentials are the following:
+ You don't have to manage cluster-attached IAM roles for Redshift Spectrum.
+ Cluster administrators can create an external schema that's accessible by consumers with different IAM contexts. This is useful, for example, to perform column filtering on a table, where different consumers query the same external schema and get varying fields in returned records.
+ You can query Amazon Redshift using a user with IAM permissions, rather than only with a role.
## Preparing an identity to log in with federated identity
Before logging in with federated identity, you must perform several preliminary steps. These instructions assume you have an existing Redshift Spectrum external schema that references a data file stored in an Amazon S3 bucket, and the bucket is in the same account as your Amazon Redshift cluster or Amazon Redshift Serverless data warehouse.
1. Create an IAM identity. This can be a user or an IAM role. Use any name supported by IAM.
1. Attach permissions policies to the identity. Specify either of the following:
+ `redshift:GetClusterCredentialsWithIAM` (for an Amazon Redshift provisioned cluster)
+ `redshift-serverless:GetCredentials` (for Amazon Redshift Serverless)
You can add permissions with the policy editor, using the IAM console.
The IAM identity also needs permissions to access external data. Grant access to Amazon S3 by adding the following AWS managed policies directly:
+ `AmazonS3ReadOnlyAccess`
+ `AWSGlueConsoleFullAccess`
The last managed policy is required if you're using AWS Glue to prepare your external data. For more information about the steps for granting access to Amazon Redshift Spectrum, see [Create an IAM role for Amazon Redshift](https://docs.aws.amazon.com/redshift/latest/dg/c-getting-started-using-spectrum-create-role.html), which is part of the getting-started guide for Amazon Redshift and Redshift Spectrum. It shows the steps for adding IAM policies to access Redshift Spectrum.
1. Set up your SQL client to connect to Amazon Redshift. Use the Amazon Redshift JDBC driver, and add your user's credentials to the tool's credential properties. A client like SQL Workbench/J works well for this. Set the following client-connection extended properties:
+ *AccessKeyID* – Your access key identifier.
+ *SecretAccessKey* – Your secret access key. (Note the security risk of transmitting the secret key if you don't use encryption.)
+ *SessionToken* – A set of temporary credentials for an IAM role.
+ *groupFederation* – Set to `true` if you're configuring federated identity for a provisioned cluster. Don't set this parameter if you are using Amazon Redshift Serverless.
+ *LogLevel* – Integer log-level value. This is optional.
1. Set the URL to the JDBC endpoint found in the Amazon Redshift or Amazon Redshift Serverless console. Replace your URL schema with *jdbc:redshift:iam:* and use this formatting:
+ Format for an Amazon Redshift provisioned cluster: `jdbc:redshift:iam://...redshift.amazonaws.com:/`
Example: `jdbc:redshift:iam://test1.12345abcdefg.us-east-1.redshift.amazonaws.com:5439/dev`
+ Format for Amazon Redshift Serverless: `jdbc:redshift:iam://...redshift-serverless.amazonaws.com:5439:/`
Example: `jdbc:redshift:iam://default.123456789012.us-east-1.redshift-serverless.amazonaws.com:5439/dev`
After you connect to the database for the first time, using an IAM identity, Amazon Redshift automatically creates an Amazon Redshift identity with the same name, prefixed with `IAM:` for a user or `IAMR:` for an IAM role. The remaining steps in this topic show examples for a user.
If a Redshift user isn't automatically created, you can create one by running a `CREATE USER` statement, using an admin account, specifying the user name in the format `IAM:`.
1. As your Amazon Redshift cluster administrator, grant the Redshift user the required permissions to access the external schema.
```
GRANT ALL ON SCHEMA my_schema to "IAM:my_user";
```
To grant the ability to your Redshift user to create tables in the external schema, they must be a schema owner. For example:
```
ALTER SCHEMA my_schema owner to "IAM:my_user";
```
1. To verify the configuration, run a query as the user, using the SQL client, after permissions are granted. This query sample retrieves data from an external table.
```
SELECT * FROM my_schema.my_table;
```
## Getting started with identity and authorization propagation to Redshift Spectrum
To pass a federated identity to query external tables, you set `SESSION` as the value for the `IAM_ROLE` query parameter of `CREATE EXTERNAL SCHEMA`. The following steps show how to set up and leverage `SESSION` to authorize queries on the external schema.
1. Create local tables and external tables. External tables catalogued with AWS Glue work for this.
1. Connect to Amazon Redshift with your IAM identity. As mentioned in the previous section, when the identity connects to Amazon Redshift, a Redshift database user is created. The user is created if they didn't previously exist. If the user is new, the administrator must grant them permissions to perform tasks in Amazon Redshift, like querying and creating tables.
1. Connect to Redshift with your admin account. Run the command to create an external schema, using the `SESSION` value.
```
create external schema spectrum_schema from data catalog
database ''
region ''
iam_role 'SESSION'
catalog_id '';
```
Note that `catalog_id` is set in this case. This is a new setting added with the feature, because `SESSION` replaces a specific role.
In this example, values in the query mimic how real values appear.
```
create external schema spectrum_schema from data catalog
database 'spectrum_db'
region 'us-east-1'
iam_role 'SESSION'
catalog_id '123456789012'
```
The `catalog_id` value in this case is your AWS account ID.
1. Run queries to access your external data, using the IAM identity you connected with in step 2. For example:
```
select * from spectrum_schema.table1;
```
In this case, `table1` can be, for example, JSON-formatted data in a file, in an Amazon S3 bucket.
1. If you already have an external schema that uses a cluster-attached IAM role, pointing to your external database or schema, you can either replace the existing schema and use a federated identity as detailed in these steps, or create a new one.
`SESSION` indicates that federated identity credentials are used to query the external schema. When you use the `SESSION` query parameter, make sure you set the `catalog_id`. It's required because it points to the data catalog used for the schema. Previously, `catalog_id` was retrieved from the value assigned to `iam_role`. When you set up identity and authorization propagation this way, for instance, to Redshift Spectrum, by using federated credentials to query an external schema, authorization by means of an IAM role isn’t required.
### Usage notes
A common connection error is the following: *IAM error retrieving temp credentials: Unable to unmarshall exception response with the unmarshallers provided*. This error is a result of having a legacy JDBC driver. The minimum driver version required for federated identity is 2.1.0.9. You can get the JDBC driver from [Download the Amazon Redshift JDBC driver, version 2.x](https://docs.aws.amazon.com/redshift/latest/mgmt/jdbc20-download-driver.html).
### Additional resources
These links provide additional information for managing access to external data.
+ You can still access Redshift Spectrum data using an IAM role. For more information, see [Authorizing Amazon Redshift to access AWS services on your behalf](authorizing-redshift-service.md).
+ When you manage access to external tables with AWS Lake Formation, you can query them using Redshift Spectrum with federated IAM identities. You no longer have to manage cluster-attached IAM roles for Redshift Spectrum to query data registered with AWS Lake Formation. For more information, see [Using AWS Lake Formation with Amazon Redshift Spectrum](https://docs.aws.amazon.com/lake-formation/latest/dg/RSPC-lf.html).