英文:
StepFunctions not getting permission on Redshift schema
问题
我正在开发一个简单的StepFunction状态机,它调用一个Redshift存储过程,并在完成后调用一个Lambda函数。我为StepFunction状态机创建了一个IAM角色,其中包含"AmazonRedshiftDataFullAccess"权限,稍后还添加了一个自定义权限,授予了所有Redshift操作的权限。
然而,当执行状态机并调用DescribeStatement时,我总是收到相同的错误消息:
"错误":"ERROR: 对模式mis的权限被拒绝",
让我不太清楚的是:IAM权限是否足以在任何模式上调用Redshift存储过程?我是否需要直接在Redshift上授予附加权限,以使此IAM角色具备必要的权限?
状态机:
ExecuteStatement步骤的定义:
{
"Type": "Task",
"Parameters": {
"ClusterIdentifier": "redshift-cluster",
"Database": "prod",
"Sql": "CALL mis.myproc();"
},
"Resource": "arn:aws:states:::aws-sdk:redshiftdata:executeStatement",
"TimeoutSeconds": 1200,
"Next": "Wait"
}
ExecuteStatement步骤的输出:
{
"ClusterIdentifier": "redshift-cluster",
"CreatedAt": "2023-07-17T23:44:19.840Z",
"Database": "prod",
"DbUser": "IAMR:StepFunctions-stepfunc-load-arvore-distribuicao-role-eed3bb05",
"Id": "b47c89f9-ffba-4620-b027-f59e6cbb095c"
}
DescribeStatement步骤的输出:
{
"ClusterIdentifier": "redshift-cluster",
"CreatedAt": "2023-07-17T23:44:19.840Z",
"Duration": -1,
"Error": "ERROR: 对模式mis的权限被拒绝",
"HasResultSet": false,
"Id": "b47c89f9-ffba-4620-b027-f59e6cbb095c",
"QueryString": "CALL mis.proc_arvore_decisao_join();",
"RedshiftPid": 1073742125,
"RedshiftQueryId": -1,
"ResultRows": -1,
"ResultSize": -1,
"Status": "FAILED",
"UpdatedAt": "2023-07-17T23:44:20.981Z"
}
我理解使用"AmazonRedshiftDataFullAccess"权限,状态机应该能够动态创建用户并访问Redshift资源。我缺少了什么?
更新1:我发现需要在Redshift中创建一个名为redshift_data_api_user的用户,以使redshift:GetClusterCredentials与AmazonRedshiftDataFullAccess一起工作,因为它定义了这个用户名。我已在Redshift中创建了这个用户(禁用了密码),并授予了在Redshift中的USAGE和EXECUTE权限,但仍然出现相同的错误。
英文:
I'm developing a simple StepFunction state machine that calls a Redshift procedure and, when completed, calls a Lambda function. I created an IAM Role for the StepFunction state machine which contains "AmazonRedshiftDataFullAccess" and, later on, a custom permission that grants all Redshift actions.
Nonetheless, when execution the state machine and calling DescribeStatement, I always get the same error:
"Error": "ERROR: permission denied for schema mis",
What is not clear to me is: should the IAM permissions be enough to call a Redshift procedure on any schema? Do I have to grant any additional permission directly on Redshift to allow this IAM Role to have the necessary rights?
State machine:
Defitinion of ExecuteStatement step:
{
"Type": "Task",
"Parameters": {
"ClusterIdentifier": "redshift-cluster",
"Database": "prod",
"Sql": "CALL mis.myproc();"
},
"Resource": "arn:aws:states:::aws-sdk:redshiftdata:executeStatement",
"TimeoutSeconds": 1200,
"Next": "Wait"
}
Output of ExecuteStatement step:
{
"ClusterIdentifier": "redshift-cluster",
"CreatedAt": "2023-07-17T23:44:19.840Z",
"Database": "prod",
"DbUser": "IAMR:StepFunctions-stepfunc-load-arvore-distribuicao-role-eed3bb05",
"Id": "b47c89f9-ffba-4620-b027-f59e6cbb095c"
}
Output of DescribeStatement step:
{
"ClusterIdentifier": "redshift-cluster",
"CreatedAt": "2023-07-17T23:44:19.840Z",
"Duration": -1,
"Error": "ERROR: permission denied for schema mis",
"HasResultSet": false,
"Id": "b47c89f9-ffba-4620-b027-f59e6cbb095c",
"QueryString": "CALL mis.proc_arvore_decisao_join();",
"RedshiftPid": 1073742125,
"RedshiftQueryId": -1,
"ResultRows": -1,
"ResultSize": -1,
"Status": "FAILED",
"UpdatedAt": "2023-07-17T23:44:20.981Z"
}
I understand that with AmazonRedshiftDataFullAccess the state machine should be able to "create" a user on the fly and access Redshift resources. What am I missing?
Update 1: I found out a need a redshift_data_api_user user created in Redshift in order to redshift:GetClusterCredentials work with AmazonRedshiftDataFullAcess, as it defines this username. Created the user (disabled password) with USAGE and EXECUTE grants in Redshift, but the same error remains.
答案1
得分: 1
所以,在一些调查之后,我让这个工作起来了。需要考虑的相关要点如下:
- 将AmazonRedshiftDataFullAccess策略附加到Step Functions State Machine时,StepFunctions会默认创建一个用户在Redshift集群中("IAMR:
")。解决问题的一种方法是直接在Redshift中为这个用户提供适当的权限。需要注意的是,可以在与状态机关联的角色中使用RedshiftDbUser标记来重写角色名称,此时名称将变为"IAMR: " - 另一种可能性(我使用的方式)是在Redshift ExecuteStatement步骤中定义一个DbUser属性。必须存在一个允许从Redshift获取集群凭据到指定用户的策略,以便可以为其创建临时凭据。默认情况下,AmazonRedshiftFullDataAccess策略包括在GetClusterCredentials中的redshift_data_api_user。如果您想要使用另一个用户名,您需要创建一个自定义策略(并确保有一个具有适当权限的Redshift用户)。
希望这有所帮助!
英文:
So, after some digging I got this working. Relevant points to take into consideration:
- With AmazonRedshiftDataFullAccess policy attached to the Step Functions State Machine, StepFunctions will create a user in Redshift cluster ("IAMR:<role-name>") by default. One way to solve the problem is giving this user the appropriate permissions directly in Redshift. Important to note that the role name can be overriden using the RedshiftDbUser tag in the role associated with the state machine, in which case the name will become "IAMR:<tag-value>"
- Another possibility (the one I used) is to define in the Redshift ExecuteStatement step a DbUser property. A policy that allows GetClusterCredentials from Redshift to the specified user must be present so Temporary Credentials can be created to it. By default, policy AmazonRedshiftFullDataAccess includes redshift_data_api_user in the GetClusterCredentials. If you want to use another username you need to create a custom policy (and assure there is a Redshift user with proper permissions).
Hope this helps!
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论