Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.iru.com/llms.txt

Use this file to discover all available pages before exploring further.

About Amazon Redshift Data API

The Data API exposes statement, database, schema, and table listings without JDBC shells. Iru needs redshift-data: read actions plus redshift:DescribeClusters for provisioned clusters and redshift-serverless:List* helpers when workgroups are in scope. AmazonRedshiftDataFullAccess is convenient but includes ExecuteStatement; prefer the inline policy below for least privilege.

How it works

DetailValue
CategoryDatabases
AuthenticationCross-account IAM role

Prerequisites

  • IAM rights to create roles in the account that owns Redshift resources.

Connect Amazon Redshift Data to Iru

Copy the trust policy from Iru

1

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.
Left navigation: Compliance expanded, Sources selected
2

Turn on Amazon Redshift Data

Find Amazon Redshift Data (use Category or Search by name or description). On that card, turn on the toggle. Leave the wizard tab open.
3

Copy the trust policy JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::753695775620:role/IruConnect"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Create the IAM role in AWS

1

Start Create role

Open IAMRolesCreate role.
2

Configure trusted entity

Choose AWS accountAnother AWS account. Enter 753695775620 (or the ID Iru shows). Enable Require external ID and paste the external ID from Iru.
3

Attach the recommended inline policy

Attach this inline policy (recommended over AmazonRedshiftDataFullAccess for least privilege):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "redshift-data:DescribeStatement",
        "redshift-data:DescribeTable",
        "redshift-data:GetStatementResult",
        "redshift-data:ListDatabases",
        "redshift-data:ListSchemas",
        "redshift-data:ListStatements",
        "redshift-data:ListTables"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "redshift:DescribeClusters",
        "redshift-serverless:ListNamespaces",
        "redshift-serverless:ListWorkgroups"
      ],
      "Resource": "*"
    }
  ]
}
4

Name the role and copy the ARN

Name the role, create it, and copy the Role ARN.

Submit the role ARN in Iru

1

Paste the IAM Role ARN

Paste the Role ARN into the connector where the wizard prompts for it.
2

Confirm the source is Active

Submit until Amazon Redshift Data reads Active.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
Required when resolving cluster IDs - add the redshift: statement block.
Extend with redshift-serverless:Get* per Amazon Redshift Serverless.
External ID mismatch.

See also