Cross account access to Redshift Serverless via Lambda function
Aleksandra Ljuboje
Posted on December 26, 2023
If you ever tried to connect your AWS Lambda function to Redshift Serverless you know how much effort it took. Well, then you can relate, knowing, how painfull it is to connect it Cross account.
Here are the neccessary steps that will allow your Lambda function to connect and also run queries on Redshift Serverless databases and catalogs.
The Use case that we want to manage is presented on the image bellow:
• Account A wants to connect to Redshift Serverless
• Account B is the account with Redshift Serverless and also cross account that includes the IAM role that the Lambda function assumes
Unlike Redshift Clustered, AWS does not provide a built-in way to create VPC endpoint access for Redshift Serverless in a different AWS account.
To make it possible, the simple workaround is presented as step 1.
Create a
VPC Peering
connection betweenAccount A
andAccount B
[manage routes in both ways]Manage Security Groups
• For Lambda function Security Group in Account A
:
add inbound rule on port TCP 5439 and choose Redshift Serverless SG as source
• For Redshift Serverless in Account B
manage Redshift Serverless Security group:
add inbound rule on port TCP 5439 and choose Lambda function SG as source
It will automatically add the Account ID
in front of SG.
In Account A
, in Lambda execution role add Policy to assume IAM Role from account B, that has access to Redshift Serverless.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<Account B ID>:role/role-on-source-account"
}
}
In Account B
, for the IAM Role edit Trust Policy to add arn
from Lambda Execution Policy from Account A.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Account A ID>:role/my-lambda-execution-role"
},
"Action": "sts:AssumeRole"
}
]
}
For more detailed explanation, please refer to
AWS re:Post blog: How do I configure a Lambda function to assume an IAM role in another AWS account?
To make connecting to Redshift Serverless easier, you can use Redshift Data Api.
For the Lambda code, I decided to go with Python language where boto3
is used, particulary in this case boto3.client('redshift-data')
.
By creating the client
this way, we are allowed to perform multiple functionalities such as execute_statement
used for running the SQL queries.
For the whole list of functionalities, refer to this link.
Now, the only thing left is to implement the logic of your code and test the connection.
Reference:
Posted on December 26, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.