07-30-2021 12:45 PM
Our SnapLogic snaplex node resides in AWS Account A.
Our Redshift cluster and S3 bucket reside in AWS Account B.
I configured the IAM roles as follows:
The Redshift Cross-Account IAM Role Account is configured as follows:
The Redshift Bulk Upsert snap is configured with ‘IAM role’ checked.
When executing the pipeline with the Redshift Bulk Upsert snap I can see that data is written to S3, and then the snap fails with an error that states that the Redshift user is not authorized to assume the IAM roles (#1 and #3 from above).
User arn:aws:redshift:region:accountb:db_user:redshift/user is not authorized to assume IAM Role arn:aws:iam::accountb:role/role_3,arn:aws:iam::acountb:role/role_1
Even though best practice would be for the Redshift cluster and the S3 bucket to be in the same AWS account, does SnapLogic’s cross account IAM role support allow for the Redshift cluster and the S3 bucket to reside in different AWS accounts?
If so, is this why the Redshift user is attempting to assume the IAM role even though the Redshift cluster and the S3 bucket reside in the same AWS account and the IAM role is already attached to the Redshift cluster?
07-30-2021 02:08 PM
Hi @PSAmmirata :
Could you please create a support ticket for this. You write with such great detail that you can copy and paste this text “as is”. I think there is an issue here with our snaps. Another customer is having a similar issue.
They are getting a similar auth error which is happening when executing the Redshift COPY sql which sources from S3. I suspect the CREDENTIALS clause (aws_iam_role=) and something with our AWS role plumbing.
It would be great to link your ticket to this ticket. A support ticket has a bit more visibility for you, and ensures more dev cycles too.
Maybe, your other community post hints at getting to the bottom of this issue. It has been answered, but we could supply more details too.
08-02-2021 06:36 AM
Thanks @mbowen - I’ve opened Request #42671
08-02-2021 09:42 AM
Thanks @PSAmmirata . Your support ticket has been linked to the other ticket I referred to. Hopefully, resolved very soon.