# Register an Amazon Redshift Connection

{% hint style="info" %}
**Public preview**: This integration is available to all accounts that request to enable it for their tenant. Contact your Immuta representative to enable it.
{% endhint %}

## Permissions

The user registering the connection must have the permissions below.

* `APPLICATION_ADMIN` Immuta permission
* The Amazon Redshift user registering the connection must be a superuser or have the following Amazon Redshift privileges:

  * `CREATEDB`
  * `CREATE USER`
  * `sys:secadmin` role
  * `USAGE` on all databases and schemas that contain data you want to register
  * The following privileges `WITH GRANT OPTION` on objects registered in Immuta:
    * `DELETE`
    * `INSERT`
    * `SELECT`
    * `TRUNCATE`
    * `UPDATE`

  For descriptions and explanations of privileges Immuta needs to enforce policies and maintain state in Amazon Redshift, see the [Amazon Redshift integration reference guide](https://documentation.immuta.com/saas/configuration/integrations/redshift/reference-guides/amazon-redshift-integration-reference-guide#required-amazon-redshift-privileges).

## Prerequisites

Enable Amazon Redshift masking on data objects Immuta will protect using the `ALTER TABLE` command with the `MASKING ON` clause.

See the [Amazon Redshift documentation](https://docs.aws.amazon.com/redshift/latest/dg/r_ALTER_TABLE.html) for details.

## Create the database user

1. [Create a new database user in Redshift to serve as the Immuta system account](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_USER.html). Immuta will use this system account continuously to crawl the connection.
2. [Grant this account the following Redshift privileges](https://docs.aws.amazon.com/redshift/latest/dg/r_GRANT.html):
   * `USAGE` on all databases and schemas that contain data you want to register
   * `CREATE ROLE`
   * `sys:secadmin` role
   * The following privileges `WITH GRANT OPTION` on objects registered in Immuta:
     * `DELETE`
     * `INSERT`
     * `SELECT`
     * `TRUNCATE`
     * `UPDATE`

## [Create the exemption role](https://documentation.immuta.com/saas/configuration/integrations/redshift/reference-guides/amazon-redshift-integration-reference-guide#policy-exemption-role)

1. Create a new role in Amazon Redshift called `immuta_exemption`.
2. Grant any users who should be exempt from Immuta data policies to this role.

## Register the connection

1. In your Amazon Redshift environment, create an **Immuta database** that Immuta can use to connect to your Amazon Redshift instance to register the connection and maintain state with Amazon Redshift.

   Having this separate database for Immuta prevents custom ETL processes or jobs deleting the database you use to register the connection, which would break the connection.
2. In Immuta, click <i class="fa-database">:database:</i> **Data** and select **Connections** in the navigation menu.
3. Click the **+ Add Connection** button.
4. Select the **Amazon Redshift** tile.
5. Enter the host connection information:
   1. **Display Name:** This is the name of your new connection. This name will be used in the API (`connectionKey`), in data source names from the host, and on the connections page. Avoid the use of periods (`.`) or [restricted words](#user-content-fn-1)[^1] in your connection name.
   2. **Hostname**: URL of your Amazon Redshift instance.
   3. **Port**: Port configured for Amazon Redshift.
   4. **Database**: The Redshift database you created for Immuta. All databases in the host will be registered.
6. Enter the **username** and **password** of the [Amazon Redshift database user you created above](#create-the-database-user).
7. Click **Save connection**.

## Map users

**Requirement**: `USER_ADMIN` Immuta permission

Map Amazon Redshift usernames to each Immuta user account to ensure Immuta properly enforces policies.

The instructions below illustrate how to do this for individual users, but you can also configure user mapping in your [IAM connection on the app settings page](https://documentation.immuta.com/saas/people/users-index/how-to-guides/external-user-mapping#configure-external-user-id-mapping-on-app-settings-page).

1. Click **People** and select **Users** in the navigation menu.
2. Click the user's **name** to navigate to their page and scroll to the **External User Mapping** section.
3. Click **Edit** in the **Redshift User** row.
4. Enter the user's **Redshift username**.
5. Click **Save**.

[^1]: Your display name cannot be any of the following words: `data`, `connection`, `object`, `crawl`, `search`, `settings`, `metadata`, `permission`, `sync`, `bulk`, and `upgrade`.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://documentation.immuta.com/saas/configuration/integrations/redshift/amazon-redshift-integration/register-an-amazon-redshift-connection.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.