Connect an Amazon Redshift data warehouse to WasteNot to pull customer and transaction data with custom SQL queries. WasteNot uses cross-account IAM role assumption, so no long-lived database credentials are ever stored.

Prerequisites

• An Amazon Redshift cluster (provisioned) or workgroup (serverless) reachable over the internet with TLS enabled
• Permission to create an IAM role in the AWS account that owns the cluster
• Admin access to the Redshift database to create a read-only DB role
• Your endpoint, port, and database name

Connecting Redshift

Step 1: Create the data source

1. Add a new Redshift data source in WasteNot
2. Enter a Name
3. Click Save

Step 2: Create an IAM role for WasteNot

On the data source detail page, WasteNot will generate a trust policy that permits our session role to assume a role in your AWS account. In the AWS console:

1. Create a new IAM role and paste in the trust policy shown on the data source page
2. Add the tag RedshiftDbRoles=readonly to the role — Redshift uses this to map the assumed IAM role to a database role
3. Attach an IAM policy that allows the role to fetch DB credentials, scoped to your cluster or workgroup. WasteNot provides ready-to-paste policies for both Redshift Serverless and provisioned Redshift on the data source page

Step 3: Create the read-only DB role and user

In your Redshift database, run the setup SQL shown on the data source page as an admin. It creates:

• A readonly DB role with SELECT on the schemas you want WasteNot to read
• A database user named IAMR:<your-iam-role-name> — this exact naming is how Redshift's IAM identity mapping resolves an assumed role to a database user

Step 4: Enter connection details

Fill in the form on the data source page:

• Endpoint — The full Redshift endpoint, ending in .redshift.amazonaws.com (provisioned) or .redshift-serverless.amazonaws.com (serverless)
• Port — The port Redshift is listening on (default: 5439)
• Database — The name of the database to connect to
• IAM Role ARN — The ARN of the role you created in Step 2

Click Connect. WasteNot will assume the role, fetch temporary credentials, and verify the connection.

Custom streams

Once connected, create streams to define what data WasteNot pulls from Redshift. Each stream is a SQL query that returns rows matching WasteNot's expected format.

See the Writing Custom Queries guide for full details on required columns and event types.

1. Go to your Redshift data source detail page
2. Click New Stream
3. Give the stream a name, select an event type, and enter your SQL query
4. Save the stream

WasteNot will run the query on a schedule and sync the results automatically.

Frequently asked questions

Does this work with Redshift Serverless?

Yes. Both provisioned clusters and serverless workgroups are supported. The only difference is the endpoint suffix and the IAM policy attached to the role — WasteNot provides the correct policy for each.

Why IAM role assumption instead of a username and password?

Cross-account role assumption means WasteNot never holds long-lived credentials for your warehouse. You control access entirely through IAM policies and can revoke it at any time by detaching the role.

What permissions does the DB role need?

The readonly DB role needs SELECT on the tables or views referenced in your stream queries. You can scope it to specific schemas to limit what WasteNot can see.

My data source shows "Failed" status

Common causes:

• The IAM trust policy doesn't allow our session role to assume the role
• The RedshiftDbRoles tag is missing or doesn't match the DB role name
• The IAMR:<role-name> database user wasn't created, or the name doesn't match the IAM role exactly
• The cluster or workgroup isn't reachable from our egress IPs
• TLS isn't enabled

Check with your data team, or reach out to support@wastenot.io for help.