AWS Redshift Serverless：“错误：无权获取角色凭证”

Question

我创建了一个无服务器 Redshift 实例，并尝试从 S3 存储桶导入 CSV 文件。

我创建了一个具有完整 Redshift + Redshift 无服务器访问权限和 S3 读取访问权限的 IAM 角色，并将该角色添加为Serverless Configuration的Permissions设置下的默认角色。基本上，我已经尝试根据文档做任何我认为必要的事情。

但是，这些文档目前仅针对正常的 EC2 托管 Redshift，而不是针对无服务器版本，因此可能有一些我忽略的内容。

但是当我尝试运行 COPY 命令（由 UI 生成）时，出现以下错误：

ERROR: Not authorized to get credentials of role arn:aws:iam::0000000000:role/RedshiftFull Detail: ----------------------------------------------- error: Not authorized to get credentials of role arn:aws:iam::00000000:role/RedshiftFull code: 30000 context: query: 18139 location: xen_aws_credentials_mgr.cpp:402 process: padbmaster [pid=8791] ----------------------------------------------- [ErrorId: 1-61dc479b-570a4e96449b228552f2c911]

这是我尝试运行的命令：

ERROR: Not authorized to get credentials of role arn:aws:iam::0000000000:role/RedshiftFull Detail: ----------------------------------------------- error: Not authorized to get credentials of role arn:aws:iam::00000000:role/RedshiftFull code: 30000 context: query: 18139 location: xen_aws_credentials_mgr.cpp:402 process: padbmaster [pid=8791] ----------------------------------------------- [ErrorId: 1-61dc479b-570a4e96449b228552f2c911]

这是角色

COPY dev."test-schema"."transactions" FROM 's3://bucket-name/something-1_2021-11-01T00_00_00.000Z_2022-01-03.csv' IAM_ROLE 'arn:aws:iam::0000000:role/RedshiftFull' FORMAT AS CSV DELIMITER ',' QUOTE '"' REGION AS 'eu-central-1'

{
    "Role": {
        "Path": "/",
        "RoleName": "RedshiftFull",
        "RoleId": "AROA2PAMxxxxxxx",
        "Arn": "arn:aws:iam::000000000:role/RedshiftFull",
        "CreateDate": "2022-01-10T13:55:03+00:00",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Service": [
                            "redshift.amazonaws.com",
                            "sagemaker.amazonaws.com"
                        ]
                    },
                    "Action": "sts:AssumeRole"
                }
            ]
        },
        "Description": "Allows Redshift clusters to call AWS services on your behalf.",
        "MaxSessionDuration": 3600,
        "RoleLastUsed": {}
    }
}

政策redshift-serverless在这里：

{
    "AttachedPolicies": [
        {
            "PolicyName": "redshift-serverless",
            "PolicyArn": "arn:aws:iam::719432241830:policy/redshift-serverless"
        },
        {
            "PolicyName": "AmazonRedshiftFullAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/AmazonRedshiftFullAccess"
        },
        {
            "PolicyName": "AmazonS3ReadOnlyAccess",
            "PolicyArn": "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
        }
    ]
}

Answer 1

就我而言，有效的是链接两个角色：

• 集群的作用
• 我为 redshift 创建的用于访问 s3 的角色

我在以下文档中找到了它。