Based on: https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_SCHEMA.html
I have my schema declared in the following way:
create external schema spectrum_schema
from data catalog
database 'spectrum_db'
iam_role 'arn:aws:iam::123456789012:role/myRedshiftRole,arn:aws:iam::123456789012:role/myS3Role'
catalog_role 'arn:aws:iam::123456789012:role/myAthenaRole'
create external database if not exists;
I decided I want to change my IAM Role for this schema and having something like arn:aws:iam::123456789012:role/moreBeautifulRole instead.
Is it possible to change it? Ideally I'd like to change it with something like
ALTER SCHEMA spectrum_schema IAM_ROLE 'arn:aws:iam::123456789012:role/moreBeautifulRole'
without destroying the schema. Please share the available options.
After confirming with AWS Support, at the date posting this answer it is not supported to edit the IAM Role in an existing External Schema.
Available options I can think are:
Create a new External Schema with the moreBeautifulRole
Add Policy to myS3Role with the required permission - or edit the already assigned one
Drop and recreate external schema and depending objects (including external tables). Using DBT is not too bad as approach
Related
When I attempt to drop an external table in Azure Synapse SQL Pool I get the folloiwng error:
Cannot drop the EXTERNAL TABLE 'TableName', because it does not exist or you do not have permission.
I am accessing Synapse SQL Server via SSMS.
Can someone let me know how elevate my permissions to drop an external table please.
Theis error generally cause two reasons one is you are table might not present in that particular data baser or the user with which you are querying that table has not have proper privileges.
To Drop Any external table, you need below three major permissions like Alter any schema, alter any external data source and alter any external file format as #Jon suggested.
GRANT ALTER ANY SCHEMA to {user};
GRANT ALTER ANY EXTERNAL DATA SOURCE to {user};
GRANT ALTER ANY EXTERNAL FILE FORMAT to {user};
And also db_exporter server role is there which grant all this permission to you user.
ALTER SERVER ROLE db_exporter ADD MEMBER {user} ;
Also make sure you are using appropriate database to be querying your table where it is present.
And also make sure there is no DENY permission on your user
Use case-
After learning that AD Passthrough is not working as expected on Synapse Serverless pool with ADLS Gen-2 ; I am trying to use traditional method of creating external tables on Serverless Pool and granting READ ONLY access to users to a set of tales and enable WRITE BACK option to another ADLS Gen-2 container using CETAS option .
Looks like I am stuck there as well - to move forward.
I have tried to explain my scenario in below image.
Now - I have 5 external tables on a database where I have a READ ONLY access to the schema's where those table exists.
I wanted to create few more tables - which ideally does a JOIN between those 5 tables and aggregates the data and writes back to ADLS Gen-2 for reporting/data science purpose.
What access should I grant for WRITE back purpose ?
I tried creating new schema and granting ALTER, CONTROL, SELECT access to that schema along with CREATE TABLE access at database level . I dont want to grant more access to database level - as it has data scoped credential having managed identity referenced- which will grant full access on ROC container objects.
Grant select on SCHEMA ::sandbox to sls_svc ;
Grant ALTER on SCHEMA ::sandbox to sls_svc ;
GRANT CONTROL ON SCHEMA::[sandbox ] TO [sls_svc];
Grant CREATE TABLE to sls_svc;
CREATE EXTERNAL TABLE sanbox.revenue-by-month
WITH (
LOCATION = '/ROW/revenue-by-month/',
DATA_SOURCE = ADLS-ROW,
FILE_FORMAT = EF_PARQUET
)
AS
SELECT * from table1;
all users in sls_svc role has STORAGE DATA CONTRIBUTOR access on READ-WRITE-CONTAINER (ROW)
Below are the error messages I am getting
I also tried creating a new database. hoping that i can grant full access on that database - so that cross DB query can work - but I am out of luck there as well.
Any thoughts ?
It seems that you have correctly set permissions https://learn.microsoft.com/en-us/azure/synapse-analytics/sql/develop-storage-files-overview?tabs=impersonation#permissions
Are you sure that you can successfully execute just select statement and that the issue is not in SELECT part?
GRANT CONNECT to the database that was created
+
GRANT DDL_ADMIN access
resolved the issue
We want to migrate tables to Spectrum, which requires defining an external schema
create external schema spectrum
from data catalog
database 'spectrumdb'
iam_role 'my_iam_role'
create external database if not exists;
I created an external table in Redshift like this:
create external table spectrum.my_table(
id bigint,
accountId bigint,
state varchar(65535),
) stored as parquet
location 's3://some_bucket/my_table_files';
Is it possible to alias the table such that when querying it, I can call it my_table_alias instead of spectrum.my_table? Basically, we want to make the change to external tables opaque to clients of our Redshift instance (this means we can't change the table names). Thanks so much for your help!
Redshift does not have aliases, your best option is to create a view.
You need to use WITH NO SCHEMA BINDING option while creating the view since the view is on an external table.
If you like to not specify schema names or you have a requirement like this create the view(s) in public schema or set the users default schema to the schema where the views are
alter user .. set search_path to ..
Additional benefits of using a view to access an external table are, you can
rename columns to be more user friendly
add or remove columns with view definition
change data types and/or date/time formats
you will have the ability to change name/structure of the external table without effecting user access
Let me know if this answers your question.
Is it possible to alter schema of a database I am not connected to? More specifically I need to change an owner of a schema (but it doesn't matter for the questions' sake).
As documentation says schemata can be altered using a clause like:
ALTER SCHEMA name OWNER TO { new_owner | CURRENT_USER | SESSION_USER }
and it sure works, but only on a database I am currently connected in.
Sure I can reconnect to the other database and do it manually, but I am interested whether it is possible to do it from a connection to another (typically postgres) database. It would be quite helpful for automation processes.
I have tried something like:
ALTER DATABASE ALTER SCHEMA name OWNER TO ...
ALTER SCHEMA "db_name".name OWNER TO ...
But without success - so I am interested whether it is possible at all.
I tried to search for this information using one popular search engine and StackOverflow search feature as well. Unsuccessfully - hence the question.
As #a_horse_with_no_name and #JacobH pointed out in comments it is not possible to alter schema of a database you are not currently connected to.
So I ended up using a command like this in order to achieve the schema alteration:
psql $PG_DATABASE -c "ALTER SCHEMA \"<schema-name>\" OWNER TO $PG_USER";
I have access to a schema (my_schema) on a read-only database, and on that database there's another schema that contains the data I need. I can connect directly to my_schema and query other_schema.table_name without a problem.
I have another database on another_server and I would like to access other_schema.table_name via a database link.
I can create a dblink (db_link) from my local DB (another_server) to my_schema, but I don't know how to refer to objects in other_schema if it's even possible.
Ideally I could create a view in my_schema that hides the owner of the table: create view table_name_v as select * from other_schema.table_name. Unfortunately, the DBA tells me it's a read-only database and they can't create views or even synonyms over there.
Is it at all possible for me to access the other_schema.table_name across the DB link? Something like this:
sqlplus> select * from other_schema.table_name#db_link;