The following setup allows Alvin to access Redshift metadata and query history, without being able to touch the underlying data.
1. Create Alvin user permissions
Choose a name for the user, and enable access to Redshift system/usage tables.
Alvin also needs a data warehouse usage permissions for issuing certain queries. When this step is done, Alvin can access queries from the Redshift query history.
-- Set up USER-- Generate password MD5select md5('***pass***'||'alvin_read_only');d79140576960e66f9dc426c32b005895-- Create User-- Copy the returned md5, and create a string like: md5{copied_md5}createuseralvin_read_onlypassword'md5d79140576960e66f9dc426c32b005895';
2. Grant access to all databases of interest
This step ensures that Alvin is able to access metadata such as tables, views and columns.
The important part here is that this step needs to be performed for all schemas of interest. future grants that anything created within the schema at a later stage is picked up.
GRANTSELECTon svv_table_info TO alvin_read_only;GRANTSELECTon svl_user_info TO alvin_read_only;GRANTSELECTon information_schema.columns TO alvin_read_only;GRANTSELECTon pg_catalog.pg_statio_all_tables TO alvin_read_only;GRANTSELECTon pg_catalog.pg_description TO alvin_read_only;GRANTSELECTon stl_query TO alvin_read_only;GRANTSELECTon SVL_STATEMENTTEXT TO alvin_read_only;GRANTSELECTON SVV_COLUMNS to alvin_read_only;GRANTEXECUTEONFUNCTION pg_get_late_binding_view_cols() TO alvin_read_only;ALTERUSER alvin_read_only SYSLOG ACCESS UNRESTRICTED;-- Do this for all schemas of interestGRANT USAGE ONSCHEMA {schema} TO alvin_read_only;-- Grant References permission to userGRANTREFERENCESON ALL TABLES INSCHEMA {schema} TO alvin_read_only;-- Alter Default Privileges to maintain the permissions on new tablesALTERDEFAULT PRIVILEGES INSCHEMA {schema} GRANTREFERENCESON TABLES TO alvin_read_only;
3. Whitelist Alvin IP (Optional)
If your organization restricts Redshift access to a specific set of IP addresses, Alvin will only access your Redshift through the following IP, add it to your Allowed IP Addresses list:
34.159.141.113
