1 of 3

Before you create an Amazon Redshift workspace

Before you create a workspace that uses the Amazon Redshift data connector, complete the configuration that is outlined in the following topics.

Required AWS instance profile permissions for Amazon Redshift

When it uses Amazon Redshift, Tonic Structural orchestrates the creation, usage, and deletion of AWS components.

The required permissions to do so are taken from the instance profile role of the machine that runs Structural's server. This role (EC2) needs the permissions listed below.

These policies allows Structural to properly orchestrate jobs in your AWS infrastructure. It assumes that you use default names for objects in AWS, and that your source and destination S3 buckets begin with the tonic- prefix.

Note that these permissions are starting point. Based on your exact AWS setup, you might need to add additional permissions.

The required permissions are as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketNotification",
                "s3:PutBucketNotification"
            ],
            "Resource": "arn:aws:s3:::tonic-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion"
            ],
            "Resource": "arn:aws:s3:::tonic-*/*"
        }
    ]
}

Source and destination database permissions for Amazon Redshift

User permissions on the source database

The following is an example of how to create an Amazon Redshift user with the permissions needed to connect to Tonic Structural.

We recommend that you use a backup as your source database instead of connecting directly to your production environment.

If your database contains additional schemas that are included, then you must also run the same commands for those schemas.

User permissions on destination database

The destination database must exist before Structural can connect to it.

The required permissions for the user that Structural uses to connect to the destination database depend on whether the workspace .

By default, workspaces do not preserve the source ownership in the destination database. The destination user then requires the following permissions:

However, if the workspace does preserve the source database ownership, then the destination database user must be a superuser who holds ownership and privileges of all schemas and tables.

Source and destination database permissions for Amazon Redshift

User permissions on the source database

The following is an example of how to create an Amazon Redshift user with the permissions needed to connect to Tonic Structural.

We recommend that you use a backup as your source database instead of connecting directly to your production environment.

If your database contains additional schemas that are included, then you must also run the same commands for those schemas.

User permissions on destination database

The destination database must exist before Structural can connect to it.

The required permissions for the user that Structural uses to connect to the destination database depend on whether the workspace .

By default, workspaces do not preserve the source ownership in the destination database. The destination user then requires the following permissions:

However, if the workspace does preserve the source database ownership, then the destination database user must be a superuser who holds ownership and privileges of all schemas and tables.

-- Allows viewing table metadata.
GRANT SELECT ON pg_catalog.svv_table_info TO tonic_destination_user;

-- Allows creation of temporary tables on the destination database during a session.
GRANT TEMPORARY ON DATABASE tonic_destination_database TO tonic_destination_user;

-- Allows creation of schemas and permanent objects within the destination database.
GRANT CREATE ON DATABASE tonic_destination_database TO tonic_destination_user;

-- If any schemas from the source already exist in the destination database and the destination user is not the owner, run the followingfor each relevant schema.
GRANT DROP ON SCHEMA schema_name TO tonic_destination_user;

-- Allows viewing table metadata.
GRANT SELECT ON pg_catalog.svv_table_info TO tonic_destination_user;

-- Allows creation of temporary tables on the destination database during a session.
GRANT TEMPORARY ON DATABASE tonic_destination_database TO tonic_destination_user;

-- Allows creation of schemas and permanent objects within the destination database.
GRANT CREATE ON DATABASE tonic_destination_database TO tonic_destination_user;

-- If any schemas from the source already exist in the destination database and the destination user is not the owner, run the followingfor each relevant schema.
GRANT DROP ON SCHEMA schema_name TO tonic_destination_user;

Required AWS instance profile permissions for Amazon Redshift

When it uses Amazon Redshift, Tonic Structural orchestrates the creation, usage, and deletion of AWS components.

The required permissions to do so are taken from the instance profile role of the machine that runs Structural's server. This role (EC2) needs the permissions listed below.

Note that these permissions are starting point. Based on your exact AWS setup, you might need to add additional permissions.

The required permissions are as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketNotification",
                "s3:PutBucketNotification"
            ],
            "Resource": "arn:aws:s3:::tonic-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion"
            ],
            "Resource": "arn:aws:s3:::tonic-*/*"
        }
    ]
}

Before you create an Amazon Redshift workspace

Required AWS instance profile permissions for Amazon Redshift

Source and destination database permissions for Amazon Redshift

hashtagUser permissions on the source database

hashtagUser permissions on destination database

Before you create an Amazon Redshift workspace

Source and destination database permissions for Amazon Redshift

hashtagUser permissions on the source database

hashtagUser permissions on destination database

Required AWS instance profile permissions for Amazon Redshift

User permissions on the source database

User permissions on destination database

User permissions on the source database

User permissions on destination database