Skip to main content

Setup

Step 1: Gather cluster information

  1. Log into AWS Management Console
  2. Navigate to Amazon RedshiftClusters
  3. Select your cluster
  4. Note the following:
    • Endpoint: e.g., mycluster.abc123.us-west-2.redshift.amazonaws.com
    • Port: Usually 5439
    • Database: Your database name

Step 2: Configure network access

Choose one of the following connection methods:

Option 1: Direct IP Access

Allow ClarityQ to connect by configuring your security group:
  1. Navigate to EC2Security Groups
  2. Find the security group attached to your Redshift cluster
  3. Add an inbound rule:
    • Type: Custom TCP
    • Port: 5439
    • Source: Add these ClarityQ IP addresses:
      • 44.218.213.75
      • 54.161.37.107
      • 54.208.212.67
Establish a private connection without exposing traffic to the public internet: Step 2a: Create a Network Load Balancer (if you don’t have one) If you don’t already have a Network Load Balancer for your Redshift cluster:
  1. Navigate to EC2 Load Balancers
    • In AWS Console, search for “EC2” and select EC2
    • In the left navigation pane, under Load Balancing, click Load Balancers
  2. Create Network Load Balancer
    • Click Create Load Balancer
    • Select Network Load Balancer and click Create
  3. Configure Load Balancer
    • Load balancer name: Enter a name (e.g., redshift-nlb)
    • Scheme: Select Internal (for private connectivity)
    • IP address type: Select IPv4
    • VPC: Choose the same VPC as your Redshift cluster
    • Availability Zones: Select the subnets where your Redshift cluster is accessible
  4. Configure Listener
    • Protocol: TCP
    • Port: 5439 (Redshift default port)
    • Target group: Create a new target group with:
      • Target type: IP addresses
      • Protocol: TCP
      • Port: 5439
      • VPC: Same as your Redshift cluster
      • Add your Redshift cluster’s IP as a target
  5. Create the Load Balancer
    • Review settings and click Create load balancer
    • Wait for it to become Active (takes a few minutes)
Step 2b: Create an Endpoint Service
  1. Open AWS Console and navigate to VPC
  2. Access Endpoint Services
    • In the left navigation pane, scroll down to Virtual private cloud
    • Click Endpoint services
  3. Create the Endpoint Service
    • Click Create endpoint service
  4. Configure the Endpoint Service
    • Service name: Leave this empty (AWS will auto-generate)
    • Load balancer type: Select Network
    • Available load balancers: Choose your Network Load Balancer from Step 2a
    • Require acceptance for endpoint: Check this box (recommended for security)
    • Supported IP address types: Select IPv4 (default)
  5. Review and Create
    • Click Create endpoint service
    • AWS will generate a service name in the format: com.amazonaws.vpce.<region>.vpce-svc-<id>
    • Important: Copy this service name - you’ll need it for Step 2d
Step 2c: Authorize ClarityQ Access
  1. In your Endpoint Service settings, add ClarityQ’s AWS account as “Allow principals”: 
    arn:aws:iam::452271769350:root
Step 2d: Note Service Details for ClarityQ Configuration You’ll need these details when configuring the connection in ClarityQ:
  • Service name: Your endpoint service name
  • AWS Region: The region where your service is located
  • Cluster details: Endpoint, port, database name, and schema

Step 3: Create a dedicated user

Connect to your Redshift cluster and create a service account: 
-- Create user with password
CREATE USER clarityq_user
WITH PASSWORD 'your_secure_password'
CONNECTION LIMIT 10;

Step 4: Grant database permissions

Configure the required permissions for ClarityQ to connect, discover schemas, and query your data: 
-- Grant database connection
GRANT CONNECT ON DATABASE your_database TO clarityq_user;

-- Grant schema discovery and usage (for all schemas ClarityQ should access)
GRANT USAGE ON SCHEMA public TO clarityq_user;
GRANT USAGE ON SCHEMA your_schema TO clarityq_user;

-- Grant table read access for data querying
GRANT SELECT ON ALL TABLES IN SCHEMA public TO clarityq_user;
GRANT SELECT ON ALL TABLES IN SCHEMA your_schema TO clarityq_user;

Step 5: Configure connection in ClarityQ

In the ClarityQ interface, fill out the connection form with the following fields:

For Option 1 (Direct IP Access):

Basic Fields:
  • Connection Name: Choose a name for this connection (e.g., “Production Redshift”)
  • Host: Your Redshift cluster endpoint (e.g., mycluster.abc123.us-west-2.redshift.amazonaws.com)
  • Port: 5439 (default, pre-filled)
  • Database: Your database name (e.g., analytics_db)
  • User: clarityq_user (the user you created in Step 3)
  • DB Schema: public (default, pre-filled)
Basic Fields:
  • Connection Name: Choose a name for this connection (e.g., “Production Redshift PrivateLink”)
  • Host: The DNS name of your VPC Endpoint Service (e.g., com.amazonaws.vpce.us-west-2.vpce-svc-abc123def456.us-west-2.vpce.amazonaws.com)
  • Port: 5439 (default, pre-filled)
  • Database: Your database name (e.g., analytics_db)
  • User: clarityq_user (the user you created in Step 3)
  • DB Schema: public (default, pre-filled)

Authentication Method (for both options)

Choose one of the following by toggling “Use IAM Authentication”: Password Authentication (default):
  • Password: Enter the password you set for clarityq_user
IAM Authentication (toggle enabled):
  • Cluster Identifier: Your Redshift cluster name (e.g., mycluster)
  • Region: AWS region (e.g., us-west-2)
  • Access Key ID: AWS access key from Step 4 (Method 2)
  • Secret Access Key: AWS secret key from Step 4 (Method 2)

IAM authentication setup

For enhanced security, configure IAM-based authentication:

Step 1: Create IAM policy

Create a policy for Redshift access: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "redshift:GetClusterCredentials"
      ],
      "Resource": [
        "arn:aws:redshift:us-west-2:123456789012:dbuser:mycluster/clarityq_user"
      ]
    }
  ]
}

Step 2: Attach policy to IAM user or role

  1. Create or select an IAM user/role
  2. Attach the policy created above
  3. Generate access keys if using IAM user

Step 3: Configure in ClarityQ

Use the IAM configuration with:
  • cluster_identifier: Your cluster name
  • region: AWS region
  • access_key_id and secret_access_key: AWS credentials for the IAM user/role with the policy created above