How to set up Amazon Redshift

Grant Redshift permissions

For all of the supported authentication mechanisms, you must first grant permissions on Redshift.

Create Redshift group and user

To create a Redshift group and user, run the following commands:

CREATE GROUP atlan_users;
CREATE USER atlan_user password '<pass>' IN GROUP atlan_users;

• Replace <pass> with the password for the atlan_user being created.

Grant required permissions to group

To grant the minimum required permissions, run the following commands:

GRANT temp ON DATABASE <database_name> TO GROUP atlan_users;
GRANT usage ON schema <schema_name> TO GROUP atlan_users;
GRANT SELECT ON ALL TABLES IN SCHEMA <schema_name> TO GROUP atlan_users;
GRANT SELECT ON pg_catalog.svv_table_info TO GROUP atlan_users;
GRANT SELECT ON pg_catalog.svv_external_tables TO GROUP atlan_users;
GRANT SELECT ON pg_catalog.svv_redshift_databases TO GROUP atlan_users;
GRANT SELECT ON pg_catalog.svv_all_schemas TO GROUP atlan_users;
GRANT SELECT ON pg_catalog.svv_all_columns TO GROUP atlan_users;

• Replace <database_name> with the name of the database to crawl.
• Replace <schema_name> with the name of the schema to crawl.

The permissions are used for the following:

• SVV_TABLE_INFO is used to obtain information on the table ID to table/schema/database relation.
• SVV_EXTERNAL_TABLES is used to obtain information on external tables.

Grant additional permissions for query history mining

To grant the additional permissions needed to mine query history, run the following commands:

GRANT SELECT on pg_catalog.stl_ddltext to GROUP atlan_users;
GRANT SELECT on pg_catalog.stl_query to GROUP atlan_users;
GRANT SELECT on pg_catalog.stl_connection_log to GROUP atlan_users;
GRANT SELECT on pg_catalog.stl_undone to GROUP atlan_users;
GRANT SELECT on pg_catalog.stl_insert to GROUP atlan_users;
GRANT SELECT on pg_catalog.svl_statementtext to GROUP atlan_users;
ALTER USER atlan_user SYSLOG ACCESS UNRESTRICTED;

The additional permissions are used for the following:

• STL_DDLTEXT is used for DDL queries.
• STL_QUERY is used for DML and regular queries.
• STL_CONNECTION_LOG is used to obtain the session ID that a query is part of.
• STL_UNDONE is used to obtain information about transactions that have been undone or rolled back.
• STL_INSERT is used to obtain the table ID used in the insert queries.
• SVL_STATEMENTTEXT is used to obtain the query text for all queries.
• SYSLOG ACCESS UNRESTRICTED is used to access all queries performed by any user in the system tables above.

To use basic authentication, your setup is now complete. To configure IAM-based authentication, you need to continue with the following steps.

(Optional) Create IAM policy

All IAM-based authentication mechanisms require an IAM policy to be created.

To create an IAM policy with the necessary permissions follow the steps in the AWS Identity and Access Management User Guide.

Create the policy using the following JSON:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "redshift:GetClusterCredentials"
      ],
      "Resource": [
        "arn:aws:redshift:<region>:<account_id>:dbuser:<redshift_cluster_identifier>/atlan_user",
        "arn:aws:redshift:<region>:<account_id>:dbname:<redshift_cluster_identifier>/<database>"
      ]
    }
  ]
}

• Replace <region> with the AWS region of your Redshift instance.
• Replace <account_id> with your account ID.
• Replace <redshift_cluster_identifier> with your Redshift cluster identifier.
• Replace <database> with the name of the Redshift database.

(Optional) Choose IAM-based authentication mechanism

Using the policy created above, configure one of the following options for authentication.

User-based authentication

To configure user-based authentication:

1. Create an AWS IAM user by following the steps in the AWS Identity and Access Management User Guide.
2. On the Set permissions page, attach the policy created in the previous step to this user.
3. Once the user is created, view or download the user's access key ID and secret access key.
   🚨 Careful! This will be your only opportunity to view or download the access keys. You will not have access to them again after leaving the user creation screen.

Role-based authentication

To configure role-based authentication attach the policy created in the previous step to the EC2 role that Atlan uses for its EC2 instances in the EKS cluster. Please raise a support ticket to use this option.

Role delegation-based authentication

To configure role delegation-based authentication:

1. Raise a support ticket to get the ARN of the Node Instance Role for your Atlan EKS cluster.
2. Create a new role in your AWS account by following the steps in the AWS Identity and Access Management User Guide.
   1. When prompted for policies, attach the policy created in the previous step to this role.
   2. When prompted, create a trust relationship for the role using the following trust policy. (Replace <atlan_nodeinstance_role_arn> with the ARN received from Atlan support.)
      

      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "AWS": "<atlan_nodeinstance_role_arn>"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
          }
        ]
      }

3. Raise another support ticket with the ID of the AWS account where the role above was created.