I am building an AWS Step Function to trigger on SQS event messages. These messages will carry a simple payload with a startTime & endTime to run some Redshift queries.

I am clearly not giving Redshift the authentication it needs:

{
  "error": "RedshiftData.ValidationException",
  "cause": "To use IAM Authorization, both Cluster ID and DB User are required unless you're using Redshift Serverless. (Service: RedshiftData, Status Code: 400, Request ID: 3c7ef18f-ad28-46a2-8668-25cb6f5563bd, Extended Request ID: null)"
}

The question is how to configure the authentication properly. Do I create a DB user as here? https://awsbytes.com/how-to-create-user-in-redshift-database/ How would I pass this in the step function? Should I use a Secrets Manager? Is there a good guide on this?

There is my step Function code:

{
  "Comment": "Run Redshift Queries",
  "StartAt": "ReceiveMessage from SQS",
  "States": {
    "ReceiveMessage from SQS": {
      "Type": "Task",
      "Parameters": {
        "QueueUrl": "https://sqs.us-east-2.amazonaws.com/******/dev-queryProcessingQueue"
      },
      "Resource": "arn:aws:states:::aws-sdk:sqs:receiveMessage",
      "Next": "Run Analysis Queries",
      "ResultSelector": {
        "body.$": "States.StringToJson($.Messages[0].Body)"
      }
    },
    "Run Analysis Queries": {
      "Type": "Task",
      "Parameters": {
        "ClusterIdentifier": "test-*****-redshift-cluster",
        "Database": "prod",
        "Sql": "select * from my_test_table"
      },
      "Resource": "arn:aws:states:::aws-sdk:redshiftdata:executeStatement",
      "End": true
    }
  },
  "TimeoutSeconds": 3600
}

CodePudding user response：

The solution is to add the Redshift access to the step function IAM Role.