# Configure an Amazon Redshift Spectrum Integration

This page illustrates how to configure the [Amazon Redshift Spectrum integration](/SaaS/configuration/integrations/redshift/amazon-redshift-view-based-integration/redshift.md) on the Immuta app settings page. To configure this integration via the Immuta API, see the [Integrations API getting started guide](/SaaS/developer-guides/api-intro/integrations-api/getting-started.md#redshift-example).

## Requirements

* A Redshift cluster with an AWS row-level security patch applied. [Contact Immuta](https://support.immuta.com/) for guidance.
* [An AWS IAM role for Redshift](https://docs.aws.amazon.com/redshift/latest/dg/c-getting-started-using-spectrum-create-role.html) that is [associated with your Redshift cluster](https://docs.aws.amazon.com/redshift/latest/dg/c-getting-started-using-spectrum-add-role.html).
* The [`enable_case_sensitive_identifier` parameter](https://docs.aws.amazon.com/redshift/latest/dg/r_enable_case_sensitive_identifier.html) must be set to `false` (default setting) for your Redshift cluster.
* [A Redshift database that contains an external schema and external tables](https://docs.aws.amazon.com/redshift/latest/dg/c-getting-started-using-spectrum-create-external-table.html). You have two options for configuring this database:
  * [**Configure the integration with an existing database that contains the external tables**](#configure-the-integration-with-an-existing-database): Instead of creating an `immuta` database that manages all schemas and views created when Redshift data is registered in Immuta, the integration adds the Immuta-managed schemas and views to an existing database in Redshift.
  * [**Configure the integration by creating a new `immuta` database**](#configure-the-integration-by-creating-a-new-database)**:** Create a new database for Immuta that manages all schemas and views created when Redshift data is registered in Immuta, and re-create all of your external tables in that database.

## Permissions

The user configuring the integration must have the permissions below.

* `APPLICATION_ADMIN` Immuta permission
* The Redshift role used to run the Immuta bootstrap script must have the following privileges when configuring the integration:
  * If using an existing database
    * `ALL PRIVILEGES ON DATABASE` for the database you configure the integration with, as you must manage grants on that database.
    * `CREATE USER`
    * `GRANT TEMP ON DATABASE`
  * If creating a new database
    * `CREATE DATABASE`
    * `CREATE USER`
    * `GRANT TEMP ON DATABASE`
    * `REVOKE ALL PRIVILEGES ON DATABASE`
  * If enabling user impersonation:
    * `OWNERSHIP ON GROUP IMMUTA_IMPERSONATOR_ROLE`
    * `CREATE GROUP`

## Add a Redshift integration

Allow Immuta to create secure views of your external tables through one of these methods:

* [**Configure the integration with an existing database that contains the external tables**](#configure-the-integration-with-an-existing-database): Instead of creating an `immuta` database that manages all schemas and views created when Redshift data is registered in Immuta, the integration adds the Immuta-managed schemas and views to an existing database in Redshift.
* [**Configure the integration by creating a new `immuta` database**](#configure-the-integration-by-creating-a-new-database)**:** Create a new database for Immuta that manages all schemas and views created when Redshift data is registered in Immuta, and re-create all of your external tables in that database.

Select a tab below for instructions for either method.

{% tabs %}
{% tab title="Existing database" %}
**Configure the integration with an existing database**

1. Click the <i class="fa-gear">:gear:</i> **App Settings** icon in the navigation menu.
2. Click the **Integrations** tab.
3. Click the **+Add Integration** button and select **Redshift** from the dropdown menu.
4. Complete the **Host** and **Port** fields.
5. Enter the name of the database you created the external schema in as the **Immuta Database**. This database will store all secure schemas and Immuta-created views.
6. Opt to check the **Enable Impersonation** box and customize the **Impersonation Role** name as needed. This will allow users to natively impersonate another user. Once you finish configuring the integration, you can grant the `IMPERSONATE_USER` permission to Immuta users. See the [Managing users and permissions guide](/SaaS/configuration/people/users-index/how-to-guides/managing-personas-and-permissions.md#add-permission-to-user) for instructions.
7. Select **Manual** and download the second bootstrap script (**bootstrap script (Immuta database)**) from the **Setup** section. The specified role used to run the bootstrap needs to have the [permissions listed above](#permissions) for an existing database.
8. Run the **bootstrap script (Immuta database)** in the Redshift database that contains the external schema.
9. Choose **username and password** as your authentication method, and enter the credentials from the bootstrap script for the `Immuta_System_Account`.
10. Click **Save**.
    {% endtab %}

{% tab title="New database" %}
**Configure the integration by creating a new database**

1. Click the <i class="fa-gear">:gear:</i> **App Settings** icon in the navigation menu.
2. Click the **Integrations** tab.
3. Click the **+Add Integration** button and select **Redshift** from the dropdown menu.
4. Complete the **Host** and **Port** fields.
5. Enter an **Immuta Database**. This is a new database where all secure schemas and Immuta created views will be stored.
6. Opt to check the **Enable Impersonation** box and customize the **Impersonation Role** name as needed. This will allow users to natively impersonate another user.
7. Select **Manual** and download both of the bootstrap scripts from the **Setup** section. The specified role used to run the bootstrap needs to have the [permissions listed above](#permissions) for a new database.
8. Run the **bootstrap script (initial database)** in the Redshift initial database.
9. Run the **bootstrap script (Immuta database)** in the new **Immuta Database** in Redshift.
10. Choose **username and password** as your authentication method, and enter the credentials from the bootstrap script for the `Immuta_System_Account`.
11. Click **Save**.
12. Then, add your external tables to the **Immuta Database**.
    {% endtab %}
    {% endtabs %}

## Edit a Redshift Spectrum integration

1. Click the <i class="fa-gear">:gear:</i> **App Settings** icon in the navigation menu.
2. Navigate to the **Integrations** tab and click the **down arrow** next to the Redshift Spectrum integration.
3. Edit the field you want to change. *Note any field shadowed is not editable, and the integration must be disabled and re-installed to change it.*
4. Download the **Edit Script** and run it in the **Immuta Database** in Amazon Redshift.
5. In Immuta, enter the credentials used to initially configure the integration.
6. Click **Save**.

## Remove a Redshift Spectrum integration

{% hint style="warning" %}
**Disabling Amazon Redshift Spectrum**

Disabling the Amazon Redshift Spectrum integration is not supported when you set the fields `nativeWorkspaceName`, `nativeViewName`, and `nativeSchemaName` to [create Redshift Spectrum data sources](/SaaS/developer-guides/api-intro/immuta-v2-api/data-source.md). Disabling the integration when these fields are used in metadata ingestion causes undefined behavior.
{% endhint %}

1. Click the <i class="fa-gear">:gear:</i> **App Settings** icon in the navigation menu.
2. Navigate to the **Integrations** tab and click the **down arrow** next to the Amazon Redshift Spectrum integration.
3. Click the **checkbox** to disable the integration.
4. Enter the credentials that were used to initially configure the integration.
5. Click **cleanup script** to download the script.
6. Click **Save**.
7. Run the cleanup script in Amazon Redshift.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.immuta.com/SaaS/configuration/integrations/redshift/amazon-redshift-view-based-integration/configure-an-amazon-redshift-spectrum-integration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.