Connecting Your Data

Connecting to Amazon Redshift

Privacy Dynamics can connect to your Redshift cluster. This guide helps you authenticate and authorize Privacy Dynamics to access your data in Redshift.

Requirements

To complete this guide, you will need the following:

  • An AWS account with an active Redshift cluster.
  • A Redshift user with CREATEUSER privileges (a superuser).
  • A Privacy Dynamics account.

Instructions

Before you can connect to Redshift in Privacy Dynamics, you will want to create a new service account user and role for Privacy Dynamics to use.

Configure Your Redshift Cluster

Tip

Our Redshift integration must be able to COPY data from a temporary file in an S3 bucket. By default, we provide this bucket for you and authorize your cluster to copy from it. If you need another solution, please reach out to us.

The following script completes the setup for our service account. You will need to customize this with the names of your databases, schemas, and service account user, and then execute it in your cluster using a superuser.

-- create the service account user and role
create user svc_pvcy password 'MyLongAndSecretPassword987654321';
create role anonymizer;

revoke all from role anonymizer;

-- CONFIGURE ORIGIN SCHEMA(s)

-- any existing schemas that you want us to read from need their own grants
-- we require usage on the schema and select on any tables/views in that schema
grant usage on schema raw_sensitive to role anonymizer;
grant select on all tables in schema raw_sensitive to role anonymizer;

-- optionally grant access to any future tables or views in source schema.
-- this command is not supported for roles, so must use the user name.
-- note: before dropping the svc_pvcy user, you will have to revoke this default priv.
alter default privileges 
    for user <user that creates tables in this schema>
    in schema raw_sensitive
    grant select on tables to svc_pvcy;

-- CONFIGURE DESTINATION SCHEMA(s)

-- Option 1: Allow us to create new schemas in the destination database
grant create on database dev to role anonymizer;

-- Option 2: Allow us to write to an existing schema owned by another user
grant usage on schema privacy_safe to role anonymizer;
grant create on schema privacy_safe to role anonymizer;

-- GRANT ROLE TO USER
grant role anonymizer to svc_pvcy;

Add the Redshift Connection in Privacy Dynamics

  1. Sign in to your Privacy Dynamics account.
  2. Go to the Connections page.
  3. Select Add Connection.
  4. Choose Redshift and select Next.
  5. Enter the connection details:
    • Name - a name for you to identify the connection.
    • Host - the endpoint, without the port or database name. Takes the form cluster-name.abc123.region.redshift.amazonaws.com.
    • Port - the port we use to connect to your cluster. The default is 5439.
    • Username - the username of the service account we created earlier (svc_pvcy).
    • Password - the password for the service account user.
    • Database - the name of the database you would like to use.
  6. Select TEST CONNECTION to verify the credentials.
  7. Select ADD CONNECTION and your connection saves if there are no errors.

Using SSH Forwarding

Privacy Dynamics supports the use of an SSH "jump box" or bastion host for Redshift connections. When creating the connection, select Use SSH, and then supply the SSH Host, SSH Port, SSH Username, and SSH Private Key fields. For more details and a tutorial on using SSH with Privacy Dynamics, please see this walkthrough video.

Other Configuration

If you have network access controls in place that limit connections to Redshift or your SSH bastion host, you will need to add Privacy Dynamics' IP addresses to your Allowlist. You can find those IP addresses in this public JSON file.

Previous
Connecting to Google BigQuery
Next
Connecting to Postgres