"Invalid operation: Not authorized to get credentials of role"尝试将 json 从 S3 加载到 Redshift



我总是得到错误

Invalid operation: Not authorized to get credentials of role arn:aws:iam::xxxxx:role/default_glue_role

我只是想从S3加载json到Redshift集群。我不清楚我必须附加什么角色(红移?)。

我已经尝试将以下IAM策略附加到Redshift

{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::xxxxx:role/default_glue_role"
}
}

,也尝试了"Resource": "*",但我总是得到同样的错误。谢谢你的帮助!

我与AWS支持人员就同样的问题进行了长时间的交谈。需要检查的几件事:

  1. s3桶区域与红移集群区域相同
  2. 您没有作为根用户登录,您需要创建一个具有正确权限的用户,并以该用户登录以运行您的查询
  3. 您应该为您的用户和红移策略添加以下权限:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"redshift:*",
"sqlworkbench:*",
"sts:*",
"secretsmanager:*",
"s3-object-lambda:*",
"ec2:*",
"sns:*",
"cloudwatch:*",
"tag:*",
"redshift-data:*",
"sqlworkbench:*",
"redshift-serverless:*"
],
"Resource": "*"
}
]
}

  1. 你应该在你的红移和用户角色中有以下信任关系:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"s3.amazonaws.com",
"redshift.amazonaws.com",
"iam.amazonaws.com",
"redshift-serverless.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}

您需要的实际权限集可能较少,但这对我来说是有效的。我花了很长时间才弄明白!我希望这对你有帮助。

看起来你可能还需要添加胶水的权限。

redshift-serverless权限可能会告诉你它正在导致一个错误,但你应该能够保存它(AWS告诉我这样做)

所有使用Terraform的人:

是@patrick-ward的建议解决了我的问题:

data "aws_iam_policy_document" "dms_assume_role" {
statement {
actions = ["sts:AssumeRole"]
principals {
identifiers = [
"s3.amazonaws.com",
"redshift.amazonaws.com",
"iam.amazonaws.com",
"redshift-serverless.amazonaws.com",
"dms.amazonaws.com"
]
type = "Service"
}
}
}
resource "aws_iam_role" "dms-access-for-endpoint" {
assume_role_policy = data.aws_iam_policy_document.dms_assume_role.json
name               = "dms-access-for-endpoint"
}
resource "aws_iam_role_policy_attachment" "dms-access-for-endpoint-AmazonDMSRedshiftS3Role" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonDMSRedshiftS3Role"
role       = aws_iam_role.dms-access-for-endpoint.name
}
resource "aws_iam_role" "dms-cloudwatch-logs-role" {
assume_role_policy = data.aws_iam_policy_document.dms_assume_role.json
name               = "dms-cloudwatch-logs-role"
}
resource "aws_iam_role_policy_attachment" "dms-cloudwatch-logs-role-AmazonDMSCloudWatchLogsRole" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonDMSCloudWatchLogsRole"
role       = aws_iam_role.dms-cloudwatch-logs-role.name
}
resource "aws_iam_role" "dms-vpc-role" {
assume_role_policy = data.aws_iam_policy_document.dms_assume_role.json
name               = "dms-vpc-role"
}
resource "aws_iam_role_policy_attachment" "dms-vpc-role-AmazonDMSVPCManagementRole" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole"
role       = aws_iam_role.dms-vpc-role.name
}

相关内容

  • 没有找到相关文章

最新更新