Redshift Bulk Upload - Cross Account IAM role support?

Question

Our SnapLogic snaplex node resides in AWS Account A.
Our Redshift cluster and S3 bucket reside in AWS Account B.
I configured the IAM roles as follows:

AWS Account B - created an IAM role that trusts Account A and allows s3::GetObject, s3::PutObject, and s3::DeleteObject on the S3 bucket in Account B.
AWS Account A - created an IAM role that’s attached to the ec2 instance that hosts the Snaplogic snaplex node. This IAM role is allowed to assume the role created in #1 (above).
AWS Account B - created another IAM role that allows s3::GetObject, s3::PutObject, and s3::DeleteObject on the S3 bucket in Account B. This role is attached to the Redshift cluster.

The Redshift Cross-Account IAM Role Account is configured as follows:

Account properties/Cross-Account IAM Role ARN (writing to Bucket) is configured with the arn for the IAM role created in #1 (above).
IAM properties (Redshift Cluster)/IAM role name is configured with the role name for the IAM role created in #3 (above).
Cross-Account IAM properties (S3 Bucket) is configured with the arn for the IAM role created in #1 (above).

The Redshift Bulk Upsert snap is configured with ‘IAM role’ checked.
When executing the pipeline with the Redshift Bulk Upsert snap I can see that data is written to S3, and then the snap fails with an error that states that the Redshift user is not authorized to assume the IAM roles (#1 and #3 from above).
User arn:aws:redshift:region:accountb:db_user:redshift/user is not authorized to assume IAM Role arn:aws:iam::accountb:role/role_3,arn:aws:iam::acountb:role/role_1
Even though best practice would be for the Redshift cluster and the S3 bucket to be in the same AWS account, does SnapLogic’s cross account IAM role support allow for the Redshift cluster and the S3 bucket to reside in different AWS accounts?
If so, is this why the Redshift user is attempting to assume the IAM role even though the Redshift cluster and the S3 bucket reside in the same AWS account and the IAM role is already attached to the Redshift cluster?
https://docs-snaplogic.atlassian.net/wiki/spaces/SD/pages/1246956316/Configuring+Cross+Account+IAM+Role+Support

mbowen · Answer

Hi @PSAmmirata :
Could you please create a support ticket for this. You write with such great detail that you can copy and paste this text “as is”. I think there is an issue here with our snaps. Another customer is having a similar issue.
They are getting a similar auth error which is happening when executing the Redshift COPY sql which sources from S3. I suspect the CREDENTIALS clause (aws_iam_role=) and something with our AWS role plumbing.
It would be great to link your ticket to this ticket. A support ticket has a bit more visibility for you, and ensures more dev cycles too.
Maybe, your other community post hints at getting to the bottom of this issue. It has been answered, but we could supply more details too.

psammirata · Answer

Thanks @mbowen - I’ve opened Request #42671

mbowen · Answer

Thanks @PSAmmirata . Your support ticket has been linked to the other ticket I referred to. Hopefully, resolved very soon.

Forum Discussion

Redshift Bulk Upload - Cross Account IAM role support?

3 Replies

Recent Discussions

Ingesting Data into Veeva Vault CRM via SnapLogic – Alternatives to SFDC Snaps

SFTP: Worked ok then settings changed not not working

SQS Consumer snap is ready all message at pipeline startup

Salesforce Update REST API Throughput

Using Windows Authentication with SQL Server Accounts