1 Reply Latest reply on Jul 21, 2021 12:44 PM by Uma Mahesh Chalasani

    AWS IAM Role Issues with Redshift Connector for PowerCenter 10.4 in GovCloud

    Scott McAllister New Member

      Hi,

       

      We are trying to use the Redshift connector to COPY/UNLOAD data in Redshift to/from AWS S3. We've configured the connector, and the Informatica documentation states that we should specify an AWS IAM Role to run the session on PowerCenter Integration Service installed on an Amazon EC2 system in the following format: AWS_IAM_ROLE=arn:aws:iam::<accountID>:role:<role-name>.

       

      We’ve created such a role, based on https://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html, and have attached it to our Redshift cluster with a permission scoped directly to a database user. Both the AWS console and CLI show this role to be attached to the cluster and in an “in-sync” status.

       

      However, the ARN of the role we created includes the fact that we are in gov-cloud: arn:aws-us-gov:iam::<accountId>:role/<roleName>. This is an important distinction. The problem we’re facing is that some sort of input validation seems to be preventing us from providing this role to the Redshift connector config. We get the following error message (accountID has been removed):

       

      Message Code: Amazon_RedshiftReader_30071
        Message: [ERROR] The Amazon Role ARN arn:aws-us-gov:iam::<accountID>:role/informatica-redshift-role provided in the UNLOAD or COPY command is not valid. Provide a valid Redshift Role ARN in the following format: arn:aws:iam::<account-id>:role/<role-name>

       

      As you can see in the error message, it’s expecting and ARN in the format of arn:aws:iam… instead of arn:aws-us-gov:iam…

       

      We are in gov-cloud, so the ARN must include this information to be valid.

       

      To get past this error, we removed the “-us-gov” portion of the role’s ARN. But this creates a new problem downstream the moment we try to run a job with the connection. Here we get an error complaining that the db user doesn’t have permission to assume that role:

       

      [ERROR] The copy or unload command for the record <record> failed because of the following error: [[Amazon](500310) Invalid operation: User arn:aws-us-gov:redshift:us-gov-west-1:<accountID>:dbuser:<clusterName>/<dbUser> is not authorized to assume IAM Role arn:aws:iam::<AccoutID>:role/informatica-redshift-role.

       

       

      This is a common error message when you have something that tries to assume a role that doesn’t exist. I say the role doesn't exist because we removed the `-us-gov` portion of the ARN to get past that first error message. We have also tried this approach without scoping the role to a specific database user.

       

      Does anyone know of a resolution to this issue? To us, it seems like the connector is not configured to work in gov cloud.