UNLOAD先のアカウント
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow from 123456789012 and VPCE",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/MyRedshiftRole"
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::redshift-unload",
"arn:aws:s3:::redshift-unload/*"
]
},
{
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::redshift-unload",
"arn:aws:s3:::redshift-unload/*"
],
"Condition": {
"StringNotEquals": {
"aws:sourceVpce": "vpce-0ac***********cfa"
}
}
}
]
}
Redshift のあるアカウント
Redshift
- Private Subnet に Redshift クラスターを作成
- Redshift クラスターで [拡張された VPC のルーティング] を有効化
- AmazonS3FullAccess 権限を付与したIAMロールを Redshift クラスターにアタッチ
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::cp-dst/*"
}
]
}
クロスアカウントで UNLOAD できることを確認
CREATE TABLE customer
(
c_custkey INTEGER NOT NULL,
c_name VARCHAR(25) NOT NULL,
c_address VARCHAR(25) NOT NULL,
c_city VARCHAR(10) NOT NULL,
c_nation VARCHAR(15) NOT NULL,
c_region VARCHAR(12) NOT NULL,
c_phone VARCHAR(15) NOT NULL,
c_mktsegment VARCHAR(10) NOT NULL
);
copy customer from 's3://awssampledbuswest2/ssbgz/customer'
iam_role 'arn:aws:iam::123456789012:role/MyRedshiftRole'
gzip compupdate off region 'us-west-2';
unload ('select * from customer')
to 's3://cp-dst/'
allowoverwrite
iam_role 'arn:aws:iam::123456789012:role/MyRedshiftRole';
INFO: UNLOAD completed, 3000000 record(s) unloaded successfully.
UNLOAD
- Redshift と同一 VPC でも IAM ロールが異なるため、アクセスできない
[ec2-user@ip-172-**-*-244 ~]$ aws s3 cp 0000_part_00 s3://cp-dst/redshit-unload/
upload failed: ./0000_part_00 to s3://cp-dst/redshit-unload/0000_part_00 An error occurred (AccessDenied) when calling the CreateMultipartUpload operation: Access Denied
