Redshift Configuration

  • Updated on Jul 14, 2025
  • Published on May 29, 2024
  • 3 minute(s) read
  • Deborah Landau
 Prev Next

# Redshift Configuration Steps

Prerequisites

  • If your Redshift security posture requires IP whitelisting, have the Gong static IP available during the following steps. It will be required in Step 2.
    • The Gong service's static IP is: 34.196.102.214
  • By default, Redshift authentication uses role-based access. You will need the trust policy prepopulated with the Gong AWS ARN to grant access.
    • The Custom trust policy (with the Gong service's AWS ARN) is:
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::655275192472:role/gpe-us-01-1-c1-app-prequel"
			},
			"Action": "sts:AssumeRole"
		}
	]
}

Step 1: Create a Limited User in Redshift

  1. Connect to Redshift using the SQL client.
  2. Execute the following query to create a user to write the data.
CREATE USER <username> PASSWORD DISABLE;
  1. Grant user CREATE and TEMPORARY privileges on the database. CREATE allows the service to create new schemas and TEMPORARY allows the service to create temporary tables.
GRANT CREATE, TEMPORARY ON DATABASE <database> TO <username>;

πŸ“˜ The schema will be created during the first sync

The schema name supplied as part of Step 4 will be created during the first connection. It does not need to be created manually in the destination ahead of time.

πŸ“˜ If the schema already exists

By default, the service creates a new schema based on the destination configuration. If you prefer to create the schema yourself before connecting the destination, you must ensure that the writer user has the proper permissions on the schema, using:

GRANT ALL ON schema <schema> TO <username>;`

Once you've provided the GRANT ALL permission on the schema, you can safely remove the CREATE permission on the database (but you must retain the TEMPORARY permission on the database).

Step 2: Whitelist connection

  1. In the Redshift console, click Clusters, and make a note of the cluster name.
  2. Select the cluster you would like to connect.
  3. In the General information pane, make note of the Endpoint details. You may need to use the copy icon to copy the full details to discover the full endpoint and port number.

  1. Click the Properties tab.
  2. Scroll down to the Network and security settings section.
  3. In the VPC security group field, select a security group to open it.

  1. In the Security Groups window, click Inbound rules.
  2. Click Edit inbound rules.
  3. In the Edit the Inbound rules window, follow the steps below to create custom TCP rules for the static IP:
    a. Select Custom TCP in the drop-down menu.
    b. Enter your Redshift port number. (likely 5439)
    c. Enter the static IP. (from the prerequisite)
    d. Click Add rule.

Step 3: Create a staging bucket

Create staging bucket

  1. Navigate to the S3 service page.
  2. Click Create bucket.
  3. Enter a Bucket name and modify any of the default settings as desired. Note: Object Ownership can be set to "ACLs disabled" and Block Public Access settings for this bucket can be set to "Block all public access" as recommended by AWS. Make note of the Bucket name and AWS Region.
  4. Click Create bucket.

Create policy

  1. Navigate to the IAM service page, click on the Policies navigation tab, and click Create policy.
  2. Click the JSON tab, and paste the following policy, being sure to replace {BUCKET_NAME} with the name of the bucket chosen above, and {REGION_NAME}, {ACCOUNT_ID}, {CLUSTER_NAME}, {USERNAME}, and {DATABASE_NAME} with the proper Redshift values.
    1. Note: the first bucket permission in the list applies to {BUCKET_NAME} whereas the second permission applies only to the bucket's contents - {BUCKET_NAME}/* - an important distinction.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::{BUCKET_NAME}"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
              	"s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::{BUCKET_NAME}/*"
        },
        {
            "Effect": "Allow",
            "Action": "redshift:GetClusterCredentials",
            "Resource": [
                "arn:aws:redshift:{REGION_NAME}:{ACCOUNT_ID}:dbuser:{CLUSTER_NAME}/{USERNAME}",
                "arn:aws:redshift:{REGION_NAME}:{ACCOUNT_ID}:dbname:{CLUSTER_NAME}/{DATABASE_NAME}"
            ]
        }
    ]
}
  1. Click through to the Review step, choose a name for the policy, for example, transfer-service-policy (this will be referenced in the next step), add a description, and click Create policy.

Create role

  1. Navigate to the IAM service page.
  2. Navigate to the Roles navigation tab, and click Create role.
  3. Select Custom trust policy and paste the provided trust policy (from the prerequisite) to allow AssumeRole access to this role. Click Next.
  4. Add the permissions policy created above, and click Next.
  5. Enter a Role name, for example, transfer-role, and click Create role.
  6. Once successfully created, search for the created role in the Roles list, click the role name, and make a note of the ARN value.

Step 4: Add your destination

  1. Securely share your host, database, cluster, your chosen schema, IAM role ARN, and staging bucket details with us to complete the connection.
Related articles