Skip to main content

About Amazon Redshift Data API

The Data API exposes statement, database, schema, and table listings without JDBC shells. Iru needs redshift-data: read actions plus redshift:DescribeClusters for provisioned clusters and redshift-serverless:List* helpers when workgroups are in scope. AmazonRedshiftDataFullAccess is convenient but includes ExecuteStatement; prefer the inline policy below for least privilege.

How It Works

Iru runs in its own AWS account. To call the Redshift Data API on your behalf, you create an IAM role in your AWS account with two parts: a trust policy that allows Iru’s principal to call sts:AssumeRole, gated by the External ID from the wizard, and a permissions policy with read-only redshift-data: actions (plus the supporting redshift: / redshift-serverless: calls the connector needs, as in the inline example on the AWS tab). You then paste the role’s ARN back into Iru.
DetailValue
CategoryDatabases
AuthenticationCross-account IAM role

Prerequisites

  • IAM rights to create roles in the account that owns Redshift resources.

Connect Amazon Redshift Data to Iru

Start here: open the source wizard and copy the trust policy (and note the external ID). When you are ready to create the role in AWS, switch to the AWS tab and follow Create the IAM role. After you have the Role ARN, return to the Iru Compliance tab and complete Submit the role ARN in Iru below.

Get the trust policy from Iru

1

Open Sources

In Iru Compliance, on the left navigation bar, expand Compliance and select Sources.
Left navigation: Compliance expanded, Sources selected
2

Turn on Amazon Redshift Data

Find Amazon Redshift Data (use Category or Search by name or description). On that card, turn on the toggle. Leave the Iru is requesting access to external services wizard tab open.
3

Copy the trust policy JSON

The wizard shows the trust policy JSON your IAM role must use (Principal and sts:ExternalId). Below is an example of the structure; copy the live JSON from your wizard so the account, principal ARN, and external ID match exactly.
copy=false
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::753695775620:role/IruConnect"
      },
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
4

Switch to AWS to create the role

Keep the Iru wizard tab open for reference, then switch to the AWS tab and follow Create the IAM role.

Submit the role ARN in Iru

Finish the AWS tab first (through Create the IAM role) so you have the Role ARN from the new role.
1

Paste the IAM Role ARN

Return to the Iru wizard tab. Paste the Role ARN where the connector prompts for it.
2

Finish the connection

Click Submit Role. When the connection succeeds, the wizard shows Connection Configured.
3

Confirm the source is Active

Close the Iru is requesting access to external services browser tab, then return to ComplianceSources and confirm the Amazon Redshift Data card is Active.

Troubleshooting

Check pop-up blocker settings for the Iru site and try again.
Required when resolving cluster IDs - add the redshift: statement block.
Extend with redshift-serverless:Get* per Amazon Redshift Serverless.
External ID mismatch.

AWS Redshift

Connect and manage the related source in Compliance.

Amazon Redshift Serverless

Connect and manage the related source in Compliance.

Sources Management

Browse and manage every Compliance source.

Getting Started With Compliance

Frameworks, actions, and Artifacts.