Cross account access to Redshift Serverless via Lambda function

aleksandralj

Aleksandra Ljuboje

Posted on December 26, 2023

Cross account access to Redshift Serverless via Lambda function

If you ever tried to connect your AWS Lambda function to Redshift Serverless you know how much effort it took. Well, then you can relate, knowing, how painfull it is to connect it Cross account.

Here are the neccessary steps that will allow your Lambda function to connect and also run queries on Redshift Serverless databases and catalogs.

The Use case that we want to manage is presented on the image bellow:

Cross account infrastructure

Account A wants to connect to Redshift Serverless

Account B is the account with Redshift Serverless and also cross account that includes the IAM role that the Lambda function assumes

Unlike Redshift Clustered, AWS does not provide a built-in way to create VPC endpoint access for Redshift Serverless in a different AWS account.

To make it possible, the simple workaround is presented as step 1.

  1. Create a VPC Peering connection between Account A and Account B [manage routes in both ways]

  2. Manage Security Groups

• For Lambda function Security Group in Account A:

add inbound rule on port TCP 5439 and choose Redshift Serverless SG as source
Enter fullscreen mode Exit fullscreen mode

• For Redshift Serverless in Account B manage Redshift Serverless Security group:

add inbound rule on port TCP 5439 and choose Lambda function SG as source
Enter fullscreen mode Exit fullscreen mode

It will automatically add the Account ID in front of SG.

In Account A, in Lambda execution role add Policy to assume IAM Role from account B, that has access to Redshift Serverless.

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::<Account B ID>:role/role-on-source-account"
    }
}
Enter fullscreen mode Exit fullscreen mode

In Account B, for the IAM Role edit Trust Policy to add arn from Lambda Execution Policy from Account A.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<Account A ID>:role/my-lambda-execution-role"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

For more detailed explanation, please refer to
AWS re:Post blog: How do I configure a Lambda function to assume an IAM role in another AWS account?

To make connecting to Redshift Serverless easier, you can use Redshift Data Api.

For the Lambda code, I decided to go with Python language where boto3 is used, particulary in this case boto3.client('redshift-data').
By creating the client this way, we are allowed to perform multiple functionalities such as execute_statement used for running the SQL queries.
For the whole list of functionalities, refer to this link.

Now, the only thing left is to implement the logic of your code and test the connection.

Reference:

Amazon Redshift Serverless with CDK - Speaker Deck

Amazon Redshift Serverless を AWS CDK で構築してみる - 2022.08.31 nakanoshima.dev #29 LED-2!! (Let’s enjoy データ分析!!) -

favicon speakerdeck.com
💖 💪 🙅 🚩
aleksandralj
Aleksandra Ljuboje

Posted on December 26, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related