我已经创建了一个无服务器 Redshift 实例,并且正在尝试从 S3 存储桶导入 CSV 文件。
我创建了一个具有完整 Redshift + Redshift 无服务器访问权限和 S3 读取访问权限的 IAM 角色,并在无服务器配置的权限设置下添加了此角色作为默认角色。基本上,我已经尝试根据文档做任何我认为应该必要的事情。
但是,这些文档目前仅针对正常的 EC2 托管 Redshift,而不是针对无服务器版本,因此可能有一些我忽略的内容。
但是当我尝试运行 COPY 命令(由 UI 生成)时,我收到此错误:
ERROR: Not authorized to get credentials of role arn:aws:iam::0000000000:role/RedshiftFull Detail: ----------------------------------------------- error: Not authorized to get credentials of role arn:aws:iam::00000000:role/RedshiftFull code: 30000 context: query: 18139 location: xen_aws_credentials_mgr.cpp:402 process: padbmaster [pid=8791] ----------------------------------------------- [ErrorId: 1-61dc479b-570a4e96449b228552f2c911]
这是我尝试运行的命令:
COPY dev."test-schema"."transactions" FROM 's3://bucket-name/something-1_2021-11-01T00_00_00.000Z_2022-01-03.csv' IAM_ROLE 'arn:aws:iam::0000000:role/RedshiftFull' FORMAT AS CSV DELIMITER ',' QUOTE '"' REGION AS 'eu-central-1'
这是角色
{
"Role": {
"Path": "/",
"RoleName": "RedshiftFull",
"RoleId": "AROA2PAMxxxxxxx",
"Arn": "arn:aws:iam::000000000:role/RedshiftFull",
"CreateDate": "2022-01-10T13:55:03+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"redshift.amazonaws.com",
"sagemaker.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Allows Redshift clusters to call AWS services on your behalf.",
"MaxSessionDuration": 3600,
"RoleLastUsed": {}
}
}
{
"AttachedPolicies": [
{
"PolicyName": "redshift-serverless",
"PolicyArn": "arn:aws:iam::719432241830:policy/redshift-serverless"
},
{
"PolicyName": "AmazonRedshiftFullAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AmazonRedshiftFullAccess"
},
{
"PolicyName": "AmazonS3ReadOnlyAccess",
"PolicyArn": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
}
]
}
redshift-serverless
政策在这里:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "redshift-serverless:*",
"Resource": "*"
}
]
}
我也有同样的问题。打开了一个支持案例,但一些AWS支持工程师并不真正了解Redshift无服务器的来龙去脉,这是可以理解的。无服务器==黑盒。没有人知道里面发生了什么。
就我而言,放置
"redshift-serverless.amazonaws.com"
也不起作用。根本原因是我在可信实体中有“条件”:
"Condition": {
"StringLike": {
"sts:ExternalId": [
"arn:aws:redshift:<region>:<account-id>:dbuser:<cluster-name>/<user>",
"arn:aws:redshift:<region>:<account-id>:dbuser:<workgroup-name>/<user>"
]
}
}
* For regular Redshift cluster use the following ARN format: arn:aws:redshift:<region>:<account-id>:dbuser:<cluster-name>/<user-name>
* For serverless Redshift use the following ARN format: arn:aws:redshift:<region>:<account-id>:dbuser:<workgroup-name>/<user-name>
无服务器 ARN 格式错误。经过无数次的反复试验,我发现只有这种 ARN 格式
arn:aws:redshift:<region>:<account-id>:dbuser:serverless-*
适用于 Serverless。但我无法弄清楚通配符*
代表什么。当然,删除“条件”部分也完全有效。