Amazon Redshift Destination
Connect Amazon Redshift as a destination to load data from your Supaflow sources into Redshift.
For an overview of capabilities and use cases, see the Amazon Redshift connector page. To use Redshift as a source, see Amazon Redshift Source.
Prerequisites
Before you begin, ensure you have:
- An active Amazon Redshift provisioned cluster or Serverless workgroup
- Network connectivity between Supaflow and your Redshift endpoint
- A Redshift database user that can create schemas, create tables, create temporary tables, and insert rows
- An S3 bucket and prefix for Redshift load data movement
- An IAM role that Supaflow can assume and that Redshift can use for destination loads
- Firewall or security group rules that allow inbound connections from Supaflow, if your Redshift endpoint is not privately connected
If your Redshift cluster or workgroup restricts inbound connections, add the Supaflow IP to your security group or firewall allowlist:
18.214.240.61
Redshift commonly listens on TCP port 5439. For private deployments, use your approved private network path instead of public IP allowlisting.
AWS Setup
Redshift destinations require an S3 location and IAM role for data movement. You can use one IAM role for both Supaflow and Redshift, or configure a separate Redshift role in Advanced Settings.
Step 1: Create S3 Staging Permissions Policy
- Log in to the AWS Console -> IAM -> Policies -> Create policy
- Click the JSON tab. Copy the following policy and paste it into the JSON editor:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowBucketListForStagingPrefix",
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<YOUR_BUCKET_NAME>",
"Condition": {
"StringLike": {
"s3:prefix": [
"<STAGING_PREFIX>",
"<STAGING_PREFIX>/*"
]
}
}
},
{
"Sid": "AllowObjectReadWriteDeleteInStagingPrefix",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": "arn:aws:s3:::<YOUR_BUCKET_NAME>/<STAGING_PREFIX>/*"
}
]
}
-
Modify these values:
- Replace <YOUR_BUCKET_NAME> with your S3 bucket name
- Replace <STAGING_PREFIX> with the S3 prefix Supaflow can use for Redshift staging
- If you want full-bucket access, remove the
Conditionblock and usearn:aws:s3:::<YOUR_BUCKET_NAME>/*for object access - Supaflow uses the explicit Bucket Region value you configure, so this minimal policy does not require
s3:GetBucketLocation
-
Click Next -> name the policy (for example,
SupaflowRedshiftStagingPolicy) -> Create policy
Step 2: Create IAM Role with Trust Policy
- Navigate to IAM -> Roles -> Create role
- Select Custom trust policy. Copy the following trust policy and paste it into the JSON editor:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSupaflowAssumeRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::805595753828:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<YOUR_EXTERNAL_ID>"
}
}
},
{
"Sid": "AllowRedshiftAssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"redshift.amazonaws.com",
"redshift-serverless.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
-
Modify this value:
- Replace <YOUR_EXTERNAL_ID> with a unique secret string
- Use the same value in the Supaflow External ID field
-
Click Next
-
Attach the S3 staging policy you created
-
Enter a descriptive role name, such as
SupaflowRedshiftStagingAccess -
Click Create role
If your AWS security model requires separate roles, create one role that Supaflow can assume for S3 read/write access, then create a second role that Redshift can assume for COPY. Put the Redshift role ARN in Redshift COPY and UNLOAD IAM Role ARN and associate that role with your Redshift cluster or Serverless namespace. Both roles need access to the same staging bucket and prefix.
Step 3: Attach the Role to Redshift
Attach the IAM role to your Redshift cluster or Serverless namespace so Redshift can use it for COPY. See AWS's role-based access control, COPY authorization, and COPY documentation for the Redshift-side setup.
If your Redshift database restricts role usage, grant the Supaflow database user permission to use the role for COPY:
GRANT ASSUMEROLE
ON 'arn:aws:iam::<account-id>:role/<redshift-copy-role>'
TO supaflow_writer
FOR COPY;
Replace the role ARN and user name with your actual values.
Create Destination User
Create a dedicated Redshift user for Supaflow. A read-only user is not sufficient for a destination because Supaflow creates schemas, creates tables, writes rows, and evolves tables as source schemas change.
CREATE USER supaflow_writer PASSWORD 'your_secure_password';
Grant the user permission to create schemas and temporary tables in the target database:
GRANT CREATE, TEMPORARY ON DATABASE your_database TO supaflow_writer;
If you want Supaflow to load into an existing schema instead of creating schemas, grant usage and create on that schema:
GRANT USAGE, CREATE ON SCHEMA your_schema TO supaflow_writer;
Supaflow's setup validation checks that the destination user can read metadata, create temporary tables, create a schema, create a table, and insert rows.
Configuration
Step 1: Connection
Host*Redshift cluster or Serverless workgroup endpoint, without protocol or port
Example: example.abc123.us-east-1.redshift.amazonaws.com
Redshift JDBC port
Default: 5439
Name of the target Redshift database
Example: dev
Default target schema for loaded tables
Default: public
Redshift database user
Example: supaflow_writer
Password for the Redshift database user
Stored encrypted
Use TLS for the Redshift JDBC connection
Default: enabled
Step 2: S3 Staging
S3 Staging Bucket*S3 bucket used for staged load files
Example: my-redshift-stage
S3 prefix Supaflow can use for staged files
Default: supa-prefix
AWS region of the S3 staging bucket
Example: us-east-1
IAM role ARN Supaflow assumes with the External ID to read and write staged files. Redshift COPY also uses this role unless a separate Redshift role is configured.
Example: arn:aws:iam::123456789012:role/SupaflowRedshiftStagingAccess
External ID for secure role assumption. Must match the value in your trust policy.
Stored encrypted
Step 3: Advanced Settings (Optional)
Redshift COPY and UNLOAD IAM Role ARNSeparate role ARN for Redshift to use when executing COPY for destination loads. Leave empty to use the main IAM Role ARN.
Custom S3-compatible endpoint URL. Leave empty for standard AWS S3.
Noop QuerySimple query used to validate Redshift connectivity
Default: SELECT 1
Additional Redshift JDBC properties as key=value pairs separated by semicolons
Example: loginTimeout=30;socketTimeout=60
Maximum seconds a Redshift query may run. Use 0 for no timeout.
Default: 0
Step 4: Test & Save
After configuring all required properties, click Test & Save to verify the connection, destination write permissions, and S3 role assumption.
Schema Evolution
Supaflow creates target schemas and tables on the first load and keeps them in step with your source:
- New columns are added to the Redshift target table
- New tables are created when you add objects to the pipeline
- Supported type changes are applied during schema evolution
- Removed columns are kept in the destination; existing data is not dropped automatically
If an overwrite path recreates a target table, Supaflow preserves existing manual DISTKEY or SORTKEY settings when the referenced columns still exist.
The Redshift destination maps semi-structured source values to Redshift SUPER and binary values to VARBYTE. XML columns are not supported on the current Redshift destination path.
Troubleshooting
Cannot connect to the Redshift endpoint
Problem:
- Test & Save cannot establish the connection to Redshift
- Error mentions a connection timeout,
connection refused, or an unreachable host
Solutions:
- Allow the Supaflow IP through your security group or firewall:
- Add
18.214.240.61for inbound access on the Redshift port you entered in Supaflow, usually5439 - For private deployments, use your approved private network path instead
- Add
- Confirm the endpoint is reachable. A Redshift Serverless workgroup or provisioned cluster must be publicly accessible, or reachable from Supaflow over a private network path.
- Check the Host and Port. Enter the endpoint in Host without protocol or port, and set Port to your Redshift listener (default
5439).
Access denied when assuming role
Problem:
- Test connection fails while assuming the IAM role
- Error mentions
sts:AssumeRoleor an external ID mismatch
Solutions:
- Verify the trust policy:
- Principal should include
arn:aws:iam::805595753828:root - External ID must match the value entered in Supaflow
- Principal should include
- Check the Role ARN:
- Copy the complete ARN from the IAM role summary page
- Confirm the role exists in the same AWS account you expect
- Wait for IAM propagation:
- IAM changes can take a few minutes to apply
Redshift cannot read staged files from S3
Problem:
- Load fails during
COPY - Error mentions S3 access denied, missing S3 permissions, or role authorization
Solutions:
- Confirm the role is attached to Redshift for
COPYaccess. - Grant the role S3 read access to the configured staging prefix.
- Grant ASSUMEROLE if required:
GRANT ASSUMEROLE
ON 'arn:aws:iam::<account-id>:role/<redshift-copy-role>'
TO supaflow_writer
FOR COPY; - Check Bucket Region in Supaflow. Supaflow uses this explicit value instead of requiring
s3:GetBucketLocation, and Redshift requires the correct S3 bucket region for cross-regionCOPY.
Insufficient Redshift permissions
Problem:
- Connection test passes, but setup validation or loads fail
- Error mentions
CREATE SCHEMA,CREATE TABLE, temporary tables, or insert permission
Solutions:
- Grant destination write permissions:
GRANT CREATE, TEMPORARY ON DATABASE your_database TO supaflow_writer; - If loading into an existing schema, grant schema permissions:
GRANT USAGE, CREATE ON SCHEMA your_schema TO supaflow_writer; - Use a destination-specific user. A source read-only user is not sufficient for Redshift destination loads.
COPY row errors
Problem:
- Load completes with warnings or fails in strict error mode
- Job details mention Redshift
COPYrow errors
Solutions:
- Open Job Details and review the per-object error artifact.
- Check recent schema changes in the source object.
- Review source values for Redshift type limits, especially very large strings, semi-structured values, or unsupported XML columns.
Query reached usage limit
Problem:
- Loads fail with
Query reached usage limit - Failures occur on a Redshift Serverless workgroup
Solutions:
- Check Redshift Serverless usage limits for the workgroup.
- Increase the usage limit, wait for the limit period to reset, or change the breach action according to your AWS cost controls.
- Schedule large initial loads off-peak or reduce selected pipeline scope for the first run.
Support
Need help? Contact us at support@supa-flow.io