Redshift
Requirements
Teleskope Role
Attach Redshift read and/or write permissions to the Teleskope IAM role you created
Database Admin User
Create a read and/or write database user for each Redshift cluster you'd like us to scan
Network Access
If your Redshift clusters are in private subnets and you do not want to peer VPCs, create a bastion host for us to use to access your Redshift clusters.
Grant Teleskope IAM Access to Redshift
Attach the AmazonRedshiftDataFullAccess and AmazonRedshiftReadOnlyAccess to the Teleskope role you created.
Terraform
resource "aws_iam_role_policy_attachment" "redshift_read_policy" {
role = "TeleskopeRole"
policy_arn = "arn:aws:iam::aws:policy/AmazonRedshiftReadOnlyAccess"
}
resource "aws_iam_role_policy_attachment" "redshift_data_policy" {
role = "TeleskopeRole"
policy_arn = "arn:aws:iam::aws:policy/AmazonRedshiftDataFullAccess"
}
Teleskope Database User
For each Redshift cluster you would like to scan using Teleskope, you will need to create a database user, and grant that user read permissions.
Create Database User
If using username and password:
CREATE USER teleskope WITH PASSWORD '****PASSWORD****'
If using IAM Authentication:
CREATE USER teleskope WITH SYSLOG ACCESS UNRESTRICTED;
Then associate the IAM role to the Redshift cluster using:
aws redshift associate-iam-roles \ --cluster-identifier my-redshift-cluster \ --iam-role-arn arn:aws:iam::<account-id>:role/TeleskopeRole
Grant Read Access
GRANT SELECT ON svv_all_schemas TO teleskope_ro;
GRANT SELECT ON svv_table_info TO teleskope_ro;
GRANT SELECT ON ALL TABLES IN SCHEMA pg_catalog
-- Grant select to each Redshift schema
GRANT USAGE ON SCHEMA {schema} TO teleskope;
GRANT SELECT ON ALL TABLES IN SCHEMA {schema} TO teleskope;
Grant Write Access
For each redshift schema:
GRANT UPDATE, DELETE ON ALL TABLES IN SCHEMA {schema} TO teleskope;
Enroll in Teleskope UI
To enroll your Redshift cluster:
Navigate to Settings-> Connector Settings -> AWS -> Redshift
Click the radial button next to each cluster, Edit, and enter:
If using username/password, the username and password of the cluster
If using IAM Auth, the username (leave password field blank)
SSH Tunnel (Optional)
Launch an EC2 instance in a public subnet to serve as the SHH tunnel Bastion Host.
The public key for the key-pair parameter will be provided by Teleskope: teleskope-bastion-key.
Place the public key in
~/.ssh/authorized_keys
.echo "<TELESKOPE_PUBLIC_KEY>" >> ~/.ssh/authorized_keys
Update the permissions on the file and directory.
chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
Designate Teleskope AWS account access within your security group(s). IP addresses will be provided by Teleskope.
Assign an Elastic IP (EIP) to the bastion host.
Adjust route tables and security groups as needed to provide access to the Redshift cluster through the bastion host.
Provide Teleskope with the bastion username, and the bastion elastic IP.
Last updated
Was this helpful?