AWS Redshift COPY with iam_role

Question

I have been using Redshift for a while using AWS Key ID and AWS Secret Key and learned that I can use IAM Role instead so I tried this sample COPY command:

copy users from 's3://awssampledbuswest2/tickit/allusers_pipe.txt'
credentials 'aws_iam_role=arn:aws:iam::xxxxxxxxxxx:role/aws-service-role/redshift.amazonaws.com/AWSServiceRoleForRedshift' delimiter '|' region 'us-west-2';

But this resulted in the following error:

S3ServiceException:Access Denied,Status 403,Error AccessDenied,Rid 52F83B8923B08731,ExtRid uNsiJ1Xjk2WVufRo8/kfa7AxD1l82g7Dee35qr3TdhrFidpGoUSJiAx5yG7lh/gRKqG7Mkd1Tp4=,CanRetry 1

Not so sure how I can fix this in this. Given the error message, I am guessing I don't have the access permission of the S3 file which I should be able to fix by adding another role for the access? But isn't that supposed to be open to anyone?

Any help will be appreciated.

Answer 1

The S3ServiceException:Access Denied error is indicating that the Role does not have sufficient permissions to access Amazon S3.

Start by creating a normal IAM Role ( not a Service-Linked Role ).

Then, assign permissions to the Role for ListBucket and GetObject on the desired bucket, such as:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::my-bucket"]
    },
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": ["arn:aws:s3:::my-bucket/*"]
    }
  ]
}