How can I disable temporary credentials access while using query editor in Amazon Redshift?

Last updated: 2022-12-12

I don't want users connecting to the Amazon Redshift query editor using temporary credentials. How can I disable temporary credentials access to the query editor?

Short description

You can connect to an Amazon Redshift cluster with the query editor using:

AWS Secrets Manager.

-or-

AWS Identity and Access Management (IAM) temporary credentials.

For more information, see Connecting with the query editor.

Resolution

Follow these instructions to create an IAM policy to restrict access to the query editor with temporary credentials.

1.    Open the IAM console.

2.    If you haven't already done so, create an IAM user.

3.    In the navigation pane, choose Users.

4.    In User name, choose the IAM user that you want to use to prevent access to the query editor.

5.    Choose the Permissions tab, and then choose Add inline policy.

6.    Choose the JSON policy tab, and then paste the following policy:

Note: Replace account ID, cluster name, db-name, db-group, and db-user with your variables.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Deny",
      "Action": "redshift:GetClusterCredentials",
      "Resource": [
        "arn:aws:redshift:<region>:<account ID>cluster:<cluster name>"
        "arn:aws:redshift:<region>:<account ID>:dbname:<cluster name>/<db-name>",
        "arn:aws:redshift:<region>:<account ID>:dbgroup:<cluster name>/<db-group>",
        "arn:aws:redshift:<region>:<account ID>:dbuser:<cluster name>/<db-user>"
      ]
    }
  ]
}

7.    Choose Review policy.

8.    For Name, enter a name for the policy, and then choose Create policy.

Attempts to access the query editor using this IAM user with temporary credentials receive an error similar to the following:

"Databases couldn't be listed".

For more information, see Create an IAM role or user with permissions to call GetClusterCredentials.