Skip to main content

Prerequisites

  • If your Redshift security posture requires IP whitelisting, have our static IP available during the following steps. It will be required in Step 2.
  • By default, Redshift authentication uses role-based access. You will need the trust policy prepopulated with our identifier to grant access. It should look similar to the following JSON object with a proper service account identifier:
Trust policy
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sts:AssumeRoleWithWebIdentity"
      ],
      "Principal": {
        "Federated": "accounts.google.com"
      },
      "Condition": {
        "StringEquals": {
          "accounts.google.com:oaud": "<some_organization_identifier>",
          "accounts.google.com:sub": "<some_service_account_identifier>"
        }
      }
    }
  ]
}
Network allowlistingCloud Hosted (US): 35.192.85.117/32Cloud Hosted (EU): 104.199.49.149/32If private-cloud or self-hosted, contact support for the static egress IP.

How authentication works

Two identities involved
  • Redshift database user (in your Redshift workgroup): You create this limited user in Step 1. It owns database-level privileges (e.g., create schema, temporary tables) needed to load and transform data.
  • AWS IAM Role (in your AWS account): You create this role in Step 3. It holds S3 permissions for staging and allows us to call redshift-serverless:GetCredentials on your Redshift Serverless workgroup via the trust policy. We assume this role to obtain short-lived credentials; no long-lived secrets are required.
1

Create a Limited User in Redshift

  1. Connect to Redshift using the SQL client.
  2. Execute the following query to create a user to write the data (replace <password> with a password of your choice).
Create user
CREATE USER <username> PASSWORD '<password>';
Creating a user without a password.Role based auth does not require a password. You may create the user using CREATE USER <username> PASSWORD DISABLE;.
  1. Grant user create and temporary privileges on the database. create allows the service to create new schemas and temporary allows the service to create temporary tables.
Grant privileges
GRANT CREATE, TEMPORARY ON DATABASE <database> TO <username>;
The schema will be created during the first syncThe schema name supplied as part of Step 4 will be created during the first connection. It does not need to be created manually in the destination ahead of time.
If the schema already existsBy default, the service creates a new schema based on the destination configuration. If you prefer to create the schema yourself before connecting the destination, you must ensure that the writer user has the proper permissions on the schema, using GRANT ALL ON schema <schema> TO <username>;Once you’ve provided the GRANT ALL permission on the schema, you can safely remove the CREATE permission on the database (but you must retain the TEMPORARY permission on the database).
2

Whitelist connection

  1. In the Redshift console, click Workgroups, and make a note of the workgroup name.
  2. Select the workgroup you would like to connect.
  3. In the General information pane, make note of the Endpoint details. You may need to use the copy icon to copy the full details to discover the full endpoint and port number.
  1. Click the Properties tab.
  2. Scroll down to the Network and security settings section.
  3. In the VPC security group field, select a security group to open it.
  1. In the Security Groups window, click Inbound rules.
  2. Click Edit inbound rules.
  3. In the Edit the Inbound rules window, follow the steps below to create custom TCP rules for the static IP: a. Select Custom TCP in the drop-down menu. b. Enter your Redshift port number. (likely 5439) c. Enter the static IP. d. Click Add rule.
3

Create a staging bucket

Create staging bucket

  1. Navigate to the S3 service page.
  2. Click Create bucket.
  3. Enter a Bucket name and modify any of the default settings as desired. Note: Object Ownership can be set to “ACLs disabled” and Block Public Access settings for this bucket can be set to “Block all public access” as recommended by AWS. Make note of the Bucket name and AWS Region.
  4. Click Create bucket.

Create policy

  1. Navigate to the IAM service page, click on the Policies navigation tab, and click Create policy.
  2. Click the JSON tab, and paste the following policy, being sure to replace BUCKET_NAME with the name of the bucket chosen above, and REGION_NAME, ACCOUNT_ID, and WORKGROUP_NAME_OR_ID with the proper Redshift Serverless values.
    1. Note: the first bucket permission in the list applies to BUCKET_NAME whereas the second permission applies only to the bucket’s contents (BUCKET_NAME/*), an important distinction.
Access policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "redshift-serverless:GetCredentials"
            ],
            "Resource": [
                "arn:aws:redshift-serverless:REGION_NAME:ACCOUNT_ID:workgroup/WORKGROUP_NAME_OR_ID"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::BUCKET_NAME"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::BUCKET_NAME/*"
        }
    ]
}
  1. Click through to the Review step, choose a name for the policy, for example, transfer-service-policy (this will be referenced in the next step), add a description, and click Create policy.
4

Add your destination

Use the following details to complete the connection setup: username, host, database, workgroup, your chosen schema, IAM role ARN, and staging bucket details.

Permissions checklist

  • Redshift database user exists and has CREATE and TEMPORARY on the database. If you pre-created the schema, ensure GRANT ALL ON SCHEMA <schema> TO <username>.
  • IAM role trust policy allows us to assume the role.
  • IAM policy includes:
    • redshift-serverless:GetCredentials on your target workgroup ARN (Serverless uses workgroups, not clusters).
    • S3 ListBucket on arn:aws:s3:::BUCKET_NAME.
    • S3 GetObject, PutObject, DeleteObject on arn:aws:s3:::BUCKET_NAME/*.
  • Network allowlisting (if enforced) permits egress IP/CIDR for the Redshift port (typically 5439).

FAQ

We use role-based authentication with your AWS IAM Role. We assume your role to obtain short-lived database credentials and network access can be constrained by allowlisting the static egress IPs noted above.
Redshift’s high-throughput path loads data from S3 using COPY. We stage files briefly in your bucket to maximize throughput and reliability. Files are cleaned up after load. We require ListBucket to enumerate staged files and GetObject/PutObject/DeleteObject to write, read back, and delete staged files.
In Serverless, temporary database credentials are issued per workgroup. Granting this action on the target workgroup allows our assumed role to obtain ephemeral credentials for the database user without long-lived secrets, improving security and auditability.
These are identity claims used in the IAM trust policy when federating from GCP to AWS. sub uniquely identifies our Google principal in federation. oaud is an additional claim used to bind role assumption to your organization.
Common causes:
  • Missing or incorrect permission on redshift-serverless:GetCredentials (ensure it targets the correct workgroup ARN and region/account).
  • Trust policy mismatch (our principal isn’t permitted to assume your role).
  • Using a Cluster ARN or redshift:GetClusterCredentials instead of Serverless workgroup + redshift-serverless:GetCredentials.
  • Propagation delay: IAM changes can take a few minutes to apply. Retry after 5-10 minutes.
No. The schema provided in the destination configuration is created automatically on first sync. If you pre-create it, grant ALL on the schema to the writer user and you may remove the database-level CREATE permission (retain TEMPORARY).