Amazon Redshift
The Amazon Redshift connector for rudol allows you to connect your Amazon Redshift data warehouse instances. Rudol supports two authentication methods:
- Username & password — simpler setup, recommended for getting started.
- AWS IAM — no database passwords required, recommended for production and enterprise environments.
Username & password
Connection parameters
| Name | Type | Description |
|---|---|---|
host | text | Publicly accessible Amazon Redshift cluster hostname |
port | number | Cluster port (default: 5439) — optional |
user | text | Amazon Redshift username |
password | password | Amazon Redshift user password |
database | text | Amazon Redshift database you want to connect to |
User permissions
Create a dedicated user for Rudol with a strong password:
CREATE USER rudol_user WITH PASSWORD 'your-strong-password';
Then grant the minimum permissions needed. Replace the placeholders with your actual schema and database names:
-- Allow Rudol to read objects in your schema and build your Catalog
GRANT USAGE ON SCHEMA your_schema TO rudol_user;
-- Required to run Data Quality validations
GRANT SELECT ON ALL TABLES IN SCHEMA your_schema TO rudol_user;
-- Required to run Data Quality validations without locking tables
GRANT TEMPORARY ON DATABASE your_database TO rudol_user;
-- Allow Rudol to read more detailed information about your tables
GRANT SELECT ON SVV_TABLE_INFO TO rudol_user;
GRANT SELECT ON SVV_TABLES TO rudol_user;
GRANT SELECT ON SVV_COLUMNS TO rudol_user;
GRANT SELECT ON STL_QUERYTEXT TO rudol_user;
GRANT SELECT ON STL_DDLTEXT TO rudol_user;
GRANT SELECT ON STL_QUERY TO rudol_user;
Repeat each operation in context of each database which should be ingested in Rudol
AWS IAM authentication
With this method you won't need to share database credentials with Rudol. Instead, Rudol assumes an IAM role in your AWS account temporarily and in a controlled way.
Connection parameters
| Name | Type | Description |
|---|---|---|
access_key | text | AWS IAM user Access Key ID |
secret_access_key | password | AWS IAM user Secret Access Key |
role_arn | text | ARN of the IAM role that Rudol will assume |
host | text | Publicly accessible Amazon Redshift cluster hostname |
port | number | Cluster port (default: 5439) — optional |
database | text | Amazon Redshift database you want to connect to |
region | text | AWS region where your cluster is deployed (e.g. us-east-1) |
db_user | text | Database user that Rudol will impersonate (e.g. rudol_user) |
external_id | text | External ID for cross-account role assumption — contact support to obtain it |
Setup guide
Follow the steps below to grant Rudol the necessary permissions to connect to your Redshift cluster securely.
Step 1 — Create a database user
Create a dedicated database user for Rudol without a password. This ensures that the only way to authenticate as this user is through IAM — no one can log in with a static credential.
CREATE USER rudol_user WITH PASSWORD DISABLE;
Then grant the user the minimum permissions needed. Replace the placeholders with your actual schema and database names:
-- Allow Rudol to read objects in your schema and build your Catalog
GRANT USAGE ON SCHEMA your_schema TO rudol_user;
-- Required to run Data Quality validations
GRANT SELECT ON ALL TABLES IN SCHEMA your_schema TO rudol_user;
-- Required to run Data Quality validations without locking tables
GRANT TEMPORARY ON DATABASE your_database TO rudol_user;
-- Allow Rudol to read more detailed information about your tables
GRANT SELECT ON SVV_TABLE_INFO TO rudol_user;
GRANT SELECT ON SVV_TABLE_INFO TO rudol_user;
GRANT SELECT ON SVV_TABLES TO rudol_user;
GRANT SELECT ON SVV_COLUMNS TO rudol_user;
GRANT SELECT ON STL_QUERYTEXT TO rudol_user;
GRANT SELECT ON STL_DDLTEXT TO rudol_user;
GRANT SELECT ON STL_QUERY TO rudol_user;
The GRANT TEMPORARY permission is only required if you plan to use Data Quality features.
Step 2 — Create an IAM role for Redshift access
In your AWS account, create an IAM role that allows Rudol to generate temporary database credentials for your cluster.
Attach the following inline policy to the role. Replace the placeholders with your actual values:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "redshift:GetClusterCredentials",
"Resource": [
"arn:aws:redshift:REGION:ACCOUNT_ID:dbname:CLUSTER_NAME/DATABASE_NAME",
"arn:aws:redshift:REGION:ACCOUNT_ID:dbuser:CLUSTER_NAME/rudol_user"
]
},
{
"Effect": "Allow",
"Action": "redshift:DescribeClusters",
"Resource": "arn:aws:redshift:REGION:ACCOUNT_ID:cluster:CLUSTER_NAME"
}
]
}
Save the Role ARN (e.g. arn:aws:iam::123456789012:role/RedshiftAccessRole) — you will need it in Step 4.
Step 3 — Create an IAM user for Rudol
Create a dedicated IAM user (e.g. rudol-connector) in your AWS account. This user will hold the Access Key and Secret Key that you will share with Rudol.
Step 4 — Allow the IAM user to assume the role
Attach the following inline policy to the IAM user you just created. Replace the Resource value with the Role ARN saved in Step 2:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::123456789012:role/RedshiftAccessRole"
}
]
}
Step 5 — Generate credentials
In the IAM console, generate an Access Key and Secret Key for the IAM user created in Step 3 and store them securely.
Step 6 — Obtain your External ID
The external_id is a unique identifier that Rudol uses to securely scope cross-account role assumptions.
To obtain your External ID, contact Rudol support.
Restrict connections by IP address
You can restrict your Redshift cluster's security group to only accept incoming connections from the Rudol public IP address: 52.6.101.83.