# Amazon Redshift compute connections in Amazon SageMaker Unified Studio Amazon Redshift You can connect to Amazon Redshift Serverless workgroups and Amazon Redshift clusters in Amazon SageMaker Unified Studio. Amazon Redshift Serverless workgroups are a collection of compute resources that you can use to run data warehousing queries and engineering notebooks without managing underlying infrastructure. These are especially useful in environments where query patterns are unpredictable or workloads fluctuate. Amazon Redshift clusters are scalable compute environments that enable the processing and analysis of large datasets. They are optimized for running SQL-based queries on data warehouses, making them ideal for structured data analytics and reporting. # Gaining access to Amazon Redshift resources To add Amazon SageMaker Unified Studio connections to existing compute resources, you must get access information from the admin that owns the resources. To do this, first get your project ID from the **Project overview** page of the project you want to add resources to. Then, send the project ID to the owner of the Amazon Redshift resources. The Amazon Redshift admin uses the project ID to complete some steps so that you receive access details from them, and then you can input the access information in Amazon SageMaker Unified Studio. You and the admin must complete different steps depending on whether the resources are in the same account as the account you are accessing Amazon SageMaker Unified Studio in. **Note** If you want to query the Amazon Redshift resources using JuypterLab within Amazon SageMaker Unified Studio, the Amazon Redshift resource must use the same VPC as the Amazon SageMaker Unified Studio project. If the Amazon SageMaker Unified Studio project uses a different VPC than the Amazon Redshift resource you want to gain access to, you and your admin must complete additional steps to connect the VPCs before you can use JupyterLab to query. You can still query using the Data page of your project if you are using different VPCs. For more information, see [VPC to VPC connectivity](https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/vpc-to-vpc-connectivity.html) and [Connect VPCs using VPC peering](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-peering.html). ## Gaining access to resources in the same account In some cases, the Amazon Redshift resource you want to add to your Amazon SageMaker Unified Studio project might be in the same account as your project. **For compute resources in the same account as your Amazon SageMaker Unified Studio project, complete the following steps:** 1. Send the Amazon Redshift admin the project ID. This can be found on the **Project overview** page of your Amazon SageMaker Unified Studio project. 1. The admin then adds 1 of the following tags to the Amazon Redshift cluster or workgroup and its namespace that you want to add to Amazon SageMaker Unified Studio. + Option 1: Add a tag to allow only a specific Amazon SageMaker Unified Studio project to access it: `AmazonDataZoneProject=projectID`. + Option 2: Add a tag to allow all Amazon SageMaker Unified Studio projects in this account to access it: `for-use-with-all-datazone-projects=true`. 1. The admin then must send you a username and password for a database user that has access to the compute resources. You can then use the username and password to add the compute connection in Amazon SageMaker Unified Studio. For more information, see [Connecting to an existing Amazon Redshift resource](adding-a-existing-compute-connection.md). ## Gaining access to resources in a different account In some cases, the Amazon Redshift resource you want to add to your Amazon SageMaker Unified Studio project might be in a different AWS account than your project. **For compute resources in a different account, complete the following steps:** 1. Send the Amazon Redshift admin the following information from the **Project overview** page of your Amazon SageMaker Unified Studio project: + The Amazon SageMaker Unified Studio project role ARN. + The Amazon SageMaker Unified Studio project ID. + The Amazon SageMaker Unified Studio project domain ID. 1. The admin must create an access role for Amazon SageMaker Unified Studio that can be used to query Amazon Redshift. An example Amazon Redshift access role for Amazon SageMaker Unified Studio is provided below: ``` # Sample permission policy of access role to query Redshift { "Version": "2012-10-17", "Statement": [ { "Sid": "RedshiftQueryEditorConnectPermissions", "Effect": "Allow", "Action": [ "redshift:GetClusterCredentialsWithIAM", "redshift:GetClusterCredentials", "redshift:DescribeClusters", "redshift:CreateClusterUser" ], "Resource": [ "arn:aws:redshift:*:012345678912:cluster:*", "arn:aws:redshift:*:012345678912:dbname:*/*", "arn:aws:redshift:*:012345678912:dbuser:*/*" ] }, { "Sid": "RedshiftServerlessQueryEditorConnectPermissions", "Effect": "Allow", "Action": [ "redshift-serverless:GetCredentials", "redshift-serverless:GetWorkgroup", "redshift-serverless:ListTagsForResource" ], "Resource": [ "arn:aws:redshift-serverless:*:012345678912:workgroup/*" ] }, { "Sid": "SecretsManagerAccess", "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": [ "secret_arn" ] }, { "Sid": "sqlworkbench", "Effect": "Allow", "Action": [ "sqlworkbench:*" ], "Resource": [ "*" ] } ] } ``` The trust policy is as follows: ``` # trust policy of access role { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "project-role-arn" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "project-id" } } }, { "Effect": "Allow", "Principal": { "AWS": "project-role-arn" }, "Action": [ "sts:SetSourceIdentity" ], "Condition": { "StringLike": { "sts:SourceIdentity": "${aws:PrincipalTag/datazone:userId}" } } }, { "Effect": "Allow", "Principal": { "AWS": "project-role-arn" }, "Action": "sts:TagSession", "Condition": { "StringEquals": { "aws:RequestTag/AmazonDataZoneProject": "project-id", "aws:RequestTag/AmazonDataZoneDomain": "domain-id" } } } ] } ``` 1. (Optional) If you want to use IAM credentials to access the Amazon Redshift resource, rather than an AWS Secrets Manager secret, the admin must add the following tag to the access role: ``` RedshiftDbUser=Username ``` 1. The admin then needs to provide JDBC connection info in one of two ways: + Use a Secrets Manager secret in the same account as the Redshift resource. The access role should have permission to read the secret value. For more information about the JSON format that should be used in the secret, see [JSON structure of a secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_secret_json_structure.html#reference_secret_json_structure_RS) in the AWS Secrets Manager User Guide. + Use a temporary username and password. This is generated from the IAM access role credentials. + The `RedshiftDbUser` tag on the access role is required. This determines the federated database user within the databases for the Amazon SageMaker Unified Studio users. For more information, see [Setting up principal tags to connect a cluster or workgroup from query editor v2](https://docs.aws.amazon.com/redshift/latest/mgmt/query-editor-v2-getting-started.html#query-editor-v2-principal-tags-iam) in the Amazon Redshift Management Guide. 1. The admin then sends you the following information: + Access role ARN. + JDBC URL. For example: *jdbc:redshift://default-workgroup.012345678912.us-west-2.redshift-serverless.amazonaws.com. For more information about JDBC connections, see *[https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-connecting.html#serverless-connecting-driver](https://docs.aws.amazon.com/redshift/latest/mgmt/serverless-connecting.html#serverless-connecting-driver)* and *[https://docs.aws.amazon.com/redshift/latest/mgmt/jdbc20-obtain-url.html](https://docs.aws.amazon.com/redshift/latest/mgmt/jdbc20-obtain-url.html)* in the in the Amazon Redshift Management Guide.*. + *(Optional) AWS Secrets Manager secret ARN.* For example:* arn:aws:secretsmanager:us-west-2:012345678912:secret:shared-rs-cluster-password-Ab1CDe.* You can then use the access credentials and JDBC URL to add the compute connection in Amazon SageMaker Unified Studio. For more information, see [Connecting to an existing Amazon Redshift resource](adding-a-existing-compute-connection.md). # Connecting to an existing Amazon Redshift resource After you have gained access to an Amazon Redshift resource, you can add a connection to the compute resource in the Amazon SageMaker Unified Studio console. Complete the following steps to add a serverless or cluster compute to the project space: 1. Go to the **Compute** section of your project in Amazon SageMaker Unified Studio. 1. Select the **Data warehouse** tab. 1. Choose **Add compute**. 1. Choose **Connect to existing compute resources**, then choose **Next**. 1. Select the type of compute resource you want to add, then choose **Next**. 1. Under **Connection properties**, provide the JDBC URL or the compute you want to add. If the compute resource is in the same account as your Amazon SageMaker Unified Studio project, you can select the compute resource from a dropdown menu. For more information, see [Gaining access to Amazon Redshift resources](compute-prerequisite-redshift.md). 1. Under **Authentication**, provide the credential type you want to use to access the resource. The credential type must be one of the following options: Username and password, IAM credentials, AWS Secrets Manager. 1. Provide the credentials according to the authentication method you selected. 1. Under **Name**, input the name of the Amazon Redshift Serverless or Amazon Redshift Cluster you want to add. 1. Under **Description**, provide a description of the compute resource. 1. Choose **Add compute**. The Amazon SageMaker Unified Studio project Compute and Data pages then display information for that resource. **Note** Some credentials provide more information than others on the Compute page. Using a username and password enables Amazon SageMaker Unified Studio to display more information for a resource. # Creating a new Amazon Redshift Serverless compute resource You can create a new compute resource and add a connection to it in Amazon SageMaker Unified Studio. Complete the following steps to add a new Amazon Redshift Serverless compute connection to the project space: 1. Go to the **Compute** section of your project in the Amazon SageMaker Unified Studio . 1. On the **Data warehouse** tab, choose **Add compute**. 1. Choose **Create new compute resources**. 1. Select the type of compute resource you want to add. 1. Under **Compute name**, input a name for the Amazon Redshift Serverless resource you want to add. 1. Under **Description**, provide a description of the compute resource. 1. Set the base capacity, maximum capacity and database name. 1. Choose **Add compute**. The Amazon SageMaker Unified Studio project Compute and Data pages then display information for that resource. **Note** Some credentials provide more information than others on the Compute page. Using a username and password enables Amazon SageMaker Unified Studio to display more information for a resource. # Removing an Amazon Redshift compute connection When you remove a compute connection in Amazon SageMaker Unified Studio, you delete the connection to the compute resource that your Amazon SageMaker Unified Studio project has without deleting the compute resource. To remove a compute connection in Amazon SageMaker Unified Studio, complete the following steps: 1. Go to the **Compute** page of your project in the Amazon SageMaker Unified Studio. 1. Select the name of the compute connection you want to remove. You are then taken to the compute details page. 1. Choose **Actions** > **Remove compute**. A popup window appears asking you to confirm the removal. 1. To confirm the removal, input confirm in the text box provided. 1. Choose **Remove compute**. This removes the Amazon SageMaker Unified Studio connection to the compute resource. You are then no longer able to access the compute resource in the Amazon SageMaker Unified Studio project, but the compute resource is not deleted.