AWS Redshift Connection Configuration¶
Amazon Redshift is a cloud-based data warehouse service that requires specialized connection configuration. mcp_ohmy_sql supports both traditional username/password authentication and modern AWS IAM-based authentication for Redshift clusters.
See also
AWSRedshiftConnection - The configuration class source code for AWS Redshift connection
AWS Redshift Connection Type¶
AWS Redshift databases use the "aws_redshift" connection type:
{
"db_type": "aws_redshift",
"connection": {
"type": "aws_redshift",
"method": "sqlalchemy",
# ... authentication configuration
}
}
Authentication Methods¶
AWS Redshift supports two main authentication approaches:
Direct Credentials: Traditional host/port/username/password
AWS IAM Authentication: Uses AWS credentials and temporary tokens
Both methods ultimately create a SQLAlchemy connection, but handle authentication differently.
Method 1: Direct Credentials¶
Use this method when you have direct database credentials:
{
"identifier": "redshift_direct",
"description": "Redshift with direct credentials",
"db_type": "aws_redshift",
"connection": {
"type": "aws_redshift",
"method": "sqlalchemy",
"host": "my-cluster.abc123.us-east-1.redshift.amazonaws.com",
"port": 5439,
"database": "warehouse",
"username": "analyst",
"password": "secure_password"
}
}
Required Fields for Direct Credentials:
host: Redshift cluster endpointport: Database port (typically 5439)database: Database name within the clusterusername: Database usernamepassword: Database password
Method 2: AWS IAM Authentication¶
Use this method for secure, credential-free authentication using AWS IAM:
For Redshift Clusters:
{
"identifier": "redshift_iam_cluster",
"description": "Redshift cluster with IAM auth",
"db_type": "aws_redshift",
"connection": {
"type": "aws_redshift",
"method": "sqlalchemy",
"cluster_identifier": "my-analytics-cluster",
"database": "warehouse",
"boto_session_kwargs": {
"region_name": "us-east-1",
"profile_name": "analytics"
}
}
}
For Redshift Serverless:
{
"identifier": "redshift_serverless",
"description": "Redshift Serverless with IAM auth",
"db_type": "aws_redshift",
"connection": {
"type": "aws_redshift",
"method": "sqlalchemy",
"namespace_name": "analytics-namespace",
"workgroup_name": "analytics-workgroup",
"boto_session_kwargs": {
"region_name": "us-west-2",
"profile_name": "default"
}
}
}
AWS Credentials Configuration¶
The boto_session_kwargs object configures how to authenticate with AWS:
{
"boto_session_kwargs": {
"region_name": "us-east-1",
"profile_name": "analytics",
"aws_access_key_id": "AKIA...",
"aws_secret_access_key": "...",
"aws_session_token": "...",
"role_arn": "arn:aws:iam::123456789012:role/RedshiftAnalyst",
"duration_seconds": 3600,
"auto_refresh": false
}
}
AWS Credential Options:
Parameter |
Required |
Description |
|---|---|---|
|
No |
AWS region where Redshift cluster is located |
|
No |
AWS CLI profile name from |
|
No |
AWS access key (use environment variables instead) |
|
No |
AWS secret key (use environment variables instead) |
|
No |
Temporary session token for STS credentials |
|
No |
IAM role to assume for Redshift access |
|
No |
Session duration when assuming roles (default: 3600) |
|
No |
Automatically refresh temporary credentials (default: false) |
Complete Configuration Examples¶
Development with Direct Credentials:
{
"identifier": "redshift_dev",
"description": "Development Redshift cluster",
"db_type": "aws_redshift",
"connection": {
"type": "aws_redshift",
"method": "sqlalchemy",
"host": "dev-cluster.abc123.us-east-1.redshift.amazonaws.com",
"port": 5439,
"database": "dev_warehouse",
"username": "dev_user",
"password": "dev_password"
},
"schemas": [
{
"name": "public",
"table_filter": {
"exclude": ["temp_*", "staging_*"]
}
}
]
}
Production with IAM Authentication:
{
"identifier": "redshift_prod",
"description": "Production analytics warehouse",
"db_type": "aws_redshift",
"connection": {
"type": "aws_redshift",
"method": "sqlalchemy",
"cluster_identifier": "prod-analytics-cluster",
"database": "warehouse",
"boto_session_kwargs": {
"region_name": "us-east-1",
"profile_name": "production"
}
},
"schemas": [
{
"name": "public",
"table_filter": {
"exclude": ["staging_*", "temp_*", "admin_*"]
}
},
{
"name": "marts",
"table_filter": {
"include": ["fact_*", "dim_*", "*_summary"]
}
}
]
}
Cross-Account Role Assumption:
{
"identifier": "redshift_cross_account",
"description": "Cross-account Redshift access",
"db_type": "aws_redshift",
"connection": {
"type": "aws_redshift",
"method": "sqlalchemy",
"cluster_identifier": "shared-analytics",
"database": "warehouse",
"boto_session_kwargs": {
"region_name": "us-east-1",
"role_arn": "arn:aws:iam::987654321098:role/CrossAccountRedshiftAccess",
"duration_seconds": 7200,
"auto_refresh": true
}
}
}
Redshift Serverless Configuration:
{
"identifier": "redshift_serverless_analytics",
"description": "Serverless analytics workgroup",
"db_type": "aws_redshift",
"connection": {
"type": "aws_redshift",
"method": "sqlalchemy",
"namespace_name": "analytics-ns",
"workgroup_name": "analytics-wg",
"boto_session_kwargs": {
"region_name": "us-west-2",
"profile_name": "serverless"
}
},
"schemas": [
{
"name": "analytics",
"table_filter": {
"include": ["daily_*", "monthly_*", "summary_*"]
}
}
]
}
AWS IAM Permissions¶
For IAM authentication to work, your AWS credentials need appropriate permissions:
Required IAM Permissions for Redshift Clusters:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters",
"redshift:GetClusterCredentialsWithIAM"
],
"Resource": [
"arn:aws:redshift:region:account:cluster/cluster-name",
"arn:aws:redshift:region:account:dbuser:cluster-name/username"
]
}
]
}
Required IAM Permissions for Redshift Serverless:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"redshift-serverless:GetNamespace",
"redshift-serverless:GetWorkgroup",
"redshift-serverless:GetCredentials"
],
"Resource": [
"arn:aws:redshift-serverless:region:account:namespace/namespace-id"
]
}
]
}
Security Best Practices¶
Use IAM Authentication:
Prefer IAM authentication over hardcoded credentials:
# ✅ Recommended: IAM authentication
{
"boto_session_kwargs": {
"region_name": "us-east-1",
"profile_name": "analytics"
}
}
# ❌ Avoid: Hardcoded credentials
{
"username": "user",
"password": "hardcoded_password"
}
Environment Variables:
Use environment variables for sensitive data:
export AWS_PROFILE=analytics
export AWS_REGION=us-east-1
Credential Hierarchy:
AWS credentials are resolved in this order:
Explicit credentials in
boto_session_kwargsEnvironment variables (
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY)AWS CLI profiles (
~/.aws/credentials)IAM instance profiles (for EC2)
IAM container credentials (for ECS)
Troubleshooting¶
Common Issues:
Authentication failures: Check AWS credentials and IAM permissions
Network connectivity: Verify security groups and VPC settings
Cluster not found: Check cluster identifier and region
SSL errors: Redshift requires SSL connections
Token expiration: Use
auto_refreshfor long-running sessions
Testing AWS Credentials:
Test your AWS credentials independently:
aws redshift describe-clusters --region us-east-1
aws sts get-caller-identity
AWS Redshift Documentation¶
For comprehensive information about AWS Redshift configuration and best practices:
The mcp_ohmy_sql server leverages AWS SDKs and follows AWS best practices for authentication and security.
Next Steps¶
Schema Configuration - Configure schemas and table filtering for your Redshift warehouse
Relational Database Connection Configuration - Learn about SQLAlchemy-based connections
Connection Configuration - Return to connection configuration overview