This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Redshift Bulk Upload - Cross Account IAM role support?

PSAmmirata
Employee
Employee

โ€Ž07-30-2021 12:45 PM

Our SnapLogic snaplex node resides in AWS Account A.
Our Redshift cluster and S3 bucket reside in AWS Account B.

I configured the IAM roles as follows:

  1. AWS Account B - created an IAM role that trusts Account A and allows s3::GetObject, s3::PutObject, and s3::DeleteObject on the S3 bucket in Account B.
  2. AWS Account A - created an IAM role thatโ€™s attached to the ec2 instance that hosts the Snaplogic snaplex node. This IAM role is allowed to assume the role created in #1 (above).
  3. AWS Account B - created another IAM role that allows s3::GetObject, s3::PutObject, and s3::DeleteObject on the S3 bucket in Account B. This role is attached to the Redshift cluster.

The Redshift Cross-Account IAM Role Account is configured as follows:

  1. Account properties/Cross-Account IAM Role ARN (writing to Bucket) is configured with the arn for the IAM role created in #1 (above).
  2. IAM properties (Redshift Cluster)/IAM role name is configured with the role name for the IAM role created in #3 (above).
  3. Cross-Account IAM properties (S3 Bucket) is configured with the arn for the IAM role created in #1 (above).

The Redshift Bulk Upsert snap is configured with โ€˜IAM roleโ€™ checked.

When executing the pipeline with the Redshift Bulk Upsert snap I can see that data is written to S3, and then the snap fails with an error that states that the Redshift user is not authorized to assume the IAM roles (#1 and #3 from above).

User arn:aws:redshift:region:accountb:db_user:redshift/user is not authorized to assume IAM Role arn:aws:iam::accountb:role/role_3,arn:aws:iam::acountb:role/role_1

Even though best practice would be for the Redshift cluster and the S3 bucket to be in the same AWS account, does SnapLogicโ€™s cross account IAM role support allow for the Redshift cluster and the S3 bucket to reside in different AWS accounts?

If so, is this why the Redshift user is attempting to assume the IAM role even though the Redshift cluster and the S3 bucket reside in the same AWS account and the IAM role is already attached to the Redshift cluster?

https://docs-snaplogic.atlassian.net/wiki/spaces/SD/pages/1246956316/Configuring+Cross+Account+IAM+R...

0 Kudos
3 REPLIES 3

mbowen
Employee
Employee

โ€Ž07-30-2021 02:08 PM

Hi @PSAmmirata :

Could you please create a support ticket for this. You write with such great detail that you can copy and paste this text โ€œas isโ€. I think there is an issue here with our snaps. Another customer is having a similar issue.

They are getting a similar auth error which is happening when executing the Redshift COPY sql which sources from S3. I suspect the CREDENTIALS clause (aws_iam_role=) and something with our AWS role plumbing.

It would be great to link your ticket to this ticket. A support ticket has a bit more visibility for you, and ensures more dev cycles too.

Maybe, your other community post hints at getting to the bottom of this issue. It has been answered, but we could supply more details too.

0 Kudos

PSAmmirata
Employee
Employee

โ€Ž08-02-2021 06:36 AM

Thanks @mbowen - Iโ€™ve opened Request #42671

0 Kudos

mbowen
Employee
Employee
In response to PSAmmirata

โ€Ž08-02-2021 09:42 AM

Thanks @PSAmmirata . Your support ticket has been linked to the other ticket I referred to. Hopefully, resolved very soon.

0 Kudos