Redshift Cross-Account Configuration

Configure Cloud Protect in a different account from the Redshift cluster

Cross-Account Configuration

The following figure illustrates the Protegrity Redshift Integration architecture when Protegrity Solution is installed on separate from Amazon Redshift Cluster Account.

Redshift Account IAM Configuration

This step creates Redshift IAM role with permissions to assume role in separate account.

Create Redshift IAM policy:

  1. Login to the AWS account that hosts the Amazon Redshift cluster.

  2. In the AWS console, access Services > IAM and click Policies.

  3. Click Create Policy.

  4. Select the JSON tab and paste the following JSON snippet:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": "<DBRoleARN>" } ] }

  5. Replace the resource value with DBRoleARN recorded in Create IAM Account Role

  6. Click Review policy to continue.

  7. Enter a name for the policy.

  8. Click Create Policy.

  9. Record the policy name.

    Redshift IAM Policy Name: ___________________

Create Redshift IAM Role

This step creates Redshift IAM role with permissions to assume role in separate account.

Create Redshift IAM Role:

  1. Login to the AWS account that hosts the Amazon Redshift cluster.

  2. In the AWS console, access Services > IAM and click Roles.

  3. Click Create Role.

  4. Select AWS Service as the trusted entity type, then select Redshift use case from the list of services.

  5. Select Redshift – Customizable from the use case section.

  6. Continue by clicking Next:Permissions.

  7. Filter the list and search for the policy recorded in the step above (Redshift IAM Policy Name).

  8. Click the Next:Tags button to continue to the next step.

  9. Click the Next:Review button to continue.

  10. Enter a role name, such as Redshift2ProtegrityRole.

  11. Click Create Role.

  12. Record role ARN:

    RedshiftIAMRoleARN: ____________________

Attach IAM Role to Redshift Cluster

This step creates Redshift IAM role with permissions to assume role in separate account.

Attach IAM role to the Redshift cluster:

  1. Login to AWS Console.

  2. Access Amazon Redshift and select your cluster.

  3. Select Properties > Cluster Permissions > Manage IAM Roles.

  4. Select RedshiftIAMRoleARN configured in the step above and click Associate IAM role.

  5. Save the changes.

  6. After saving the changes it may take couple of minutes until the cluster IAM role is fully configured.

  7. You can check configuration status by navigating back to the cluster IAM role settings.

  8. The status field next to the IAM role will show in-sync once the role is configured.

Defining Redshift External Functions

The external function for cross-account differs slightly from the reference material in this document. The function requires two roles to be specified. The following is an example of the modified function definition.

CREATE OR REPLACE EXTERNAL FUNCTION demo_schema.pty_unprotect_deName(varchar)
RETURNS varchar
VOLATILE
LAMBDA 'ProtectFunctionProductionAlias'
IAM_ROLE '<RedshiftIAMRoleARN>,<DBRoleARN>;

Replace <ProtectFunctionProductionAlias> with the value recorded in Install through CloudFormation Replace <RedshiftIAMRoleARN> with the value recorded in Create Redshift IAM Role Replace <DBRoleARN> with the value recorded in Create IAM Account Role


Last modified : January 21, 2026