aws · dontirun · Nov 16, 2023 · Nov 16, 2023 · Nov 18, 2023 · Nov 18, 2023
diff --git a/packages/@aws-cdk/aws-redshift-alpha/README.md b/packages/@aws-cdk/aws-redshift-alpha/README.md
@@ -240,7 +240,18 @@ new Table(this, 'Table', {
 
 ### Granting Privileges
 
-You can give a user privileges to perform certain actions on a table by using the
+You can grant a *cluster* IAM permissions to perform actions on other AWS services.
+For example, you may want to allow a cluster to read from a S3 bucket for Redshift Spectrum.
+
+```ts fixture=cluster
+const bucket = new s3.Bucket(stack, 'KmsBucket',{
+  encryptionKey: new kms.Key(stack,'Key')
+})
+bucket.grantRead(cluster)
+```
+
+
+You can give a *user* privileges to perform certain actions on a table by using the
 `Table.grant()` method.
 
 ```ts fixture=cluster

diff --git a/packages/@aws-cdk/aws-redshift-alpha/lib/cluster.ts b/packages/@aws-cdk/aws-redshift-alpha/lib/cluster.ts
@@ -1,17 +1,17 @@
-import * as path from 'path';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import * as kms from 'aws-cdk-lib/aws-kms';
 import * as lambda from 'aws-cdk-lib/aws-lambda';
+import { CfnCluster } from 'aws-cdk-lib/aws-redshift';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import * as secretsmanager from 'aws-cdk-lib/aws-secretsmanager';
 import { ArnFormat, CustomResource, Duration, IResource, Lazy, RemovalPolicy, Resource, SecretValue, Stack, Token } from 'aws-cdk-lib/core';
 import { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId, Provider } from 'aws-cdk-lib/custom-resources';
 import { Construct } from 'constructs';
+import * as path from 'path';
 import { DatabaseSecret } from './database-secret';
 import { Endpoint } from './endpoint';
 import { ClusterParameterGroup, IClusterParameterGroup } from './parameter-group';
-import { CfnCluster } from 'aws-cdk-lib/aws-redshift';
 import { ClusterSubnetGroup, IClusterSubnetGroup } from './subnet-group';
 /**
  * Possible Node Types to use in the cluster
@@ -299,10 +299,17 @@ export interface ClusterProps {
   readonly masterUser: Login;
 
   /**
-   * A list of AWS Identity and Access Management (IAM) role that can be used by the cluster to access other AWS services.
+   * A default AWS Identity and Access Management (IAM) role to be used by the cluster to access other AWS services.
+   *
+   * @default - Create a new role
+   */
+  readonly serviceRole?: iam.IRole;
+
+  /**
+   * A list of additional AWS Identity and Access Management (IAM) roles that can be used by the cluster to access other AWS services.
    * The maximum number of roles to attach to a cluster is subject to a quota.
    *
-   * @default - No role is attached to the cluster.
+   * @default - Only the serviceRole is attached to the cluster.
    */
   readonly roles?: iam.IRole[];
 
@@ -417,7 +424,7 @@ abstract class ClusterBase extends Resource implements ICluster {
  *
  * @resource AWS::Redshift::Cluster
  */
-export class Cluster extends ClusterBase {
+export class Cluster extends ClusterBase implements iam.IGrantable {
   /**
    * Import an existing DatabaseCluster from properties
    */
@@ -454,6 +461,16 @@ export class Cluster extends ClusterBase {
    */
   public readonly secret?: secretsmanager.ISecret;
 
+  /**
+   *  A default AWS Identity and Access Management (IAM) role to be used by the cluster to access other AWS services.
+   */
+  public readonly serviceRole: iam.IRole;
+
-  /**
-   *  A default AWS Identity and Access Management (IAM) role to be used by the cluster to access other AWS services.
-   */
-  public readonly serviceRole: iam.IRole;
+  /**
+   * A default AWS Identity and Access Management (IAM) role to be used by the cluster to access other AWS services.
+   */
+  private readonly serviceRole: iam.IRole;
-  /**
-   *  A default AWS Identity and Access Management (IAM) role to be used by the cluster to access other AWS services.
-   */
-  public readonly serviceRole: iam.IRole;
+  /**
+   * A default AWS Identity and Access Management (IAM) role to be used by the cluster to access other AWS services.
+   */
+  private readonly serviceRole: iam.IRole;
+  /**
+   * The principal this cluster is using.
+   */
+  public readonly grantPrincipal: iam.IPrincipal;
+
   private readonly singleUserRotationApplication: secretsmanager.SecretRotationApplication;
   private readonly multiUserRotationApplication: secretsmanager.SecretRotationApplication;
 
@@ -492,7 +509,13 @@ export class Cluster extends ClusterBase {
       subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
     };
     this.parameterGroup = props.parameterGroup;
-    this.roles = props?.roles ? [...props.roles] : [];
+
+    this.serviceRole = props.serviceRole ?? new iam.Role(this, 'ServiceRole', {
+      assumedBy: new iam.ServicePrincipal('redshift.amazonaws.com'),
+    });
+    this.grantPrincipal = this.serviceRole;
+
+    this.roles = props?.roles ? [this.serviceRole, ...props.roles] : [this.serviceRole];
 
     const removalPolicy = props.removalPolicy ?? RemovalPolicy.RETAIN;
 

diff --git a/packages/@aws-cdk/aws-redshift-alpha/test/cluster.test.ts b/packages/@aws-cdk/aws-redshift-alpha/test/cluster.test.ts
@@ -1,11 +1,11 @@
+import * as cdk from 'aws-cdk-lib';
 import { Match, Template } from 'aws-cdk-lib/assertions';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import * as kms from 'aws-cdk-lib/aws-kms';
+import { CfnCluster } from 'aws-cdk-lib/aws-redshift';
 import * as s3 from 'aws-cdk-lib/aws-s3';
-import * as cdk from 'aws-cdk-lib';
 import { Cluster, ClusterParameterGroup, ClusterSubnetGroup, ClusterType } from '../lib';
-import { CfnCluster } from 'aws-cdk-lib/aws-redshift';
 
 let stack: cdk.Stack;
 let vpc: ec2.IVpc;
@@ -779,6 +779,31 @@ describe('default IAM role', () => {
 });
 
 describe('IAM role', () => {
+
+  test('cluster instantiated with a default grantable IAM Role', () => {
+    // GIVEN
+    const cluster = new Cluster(stack, 'Redshift', {
+      masterUser: {
+        masterUsername: 'admin',
+      },
+      vpc,
+    });
+
+    const bucket = new s3.Bucket(stack, 'Bucket');
+    bucket.grantRead(cluster);
+    // THEN
+    const template = Template.fromStack(stack);
+
+    template.hasResourceProperties('AWS::Redshift::Cluster', {
+      IamRoles: Match.arrayEquals([
+        { 'Fn::GetAtt': [Match.stringLikeRegexp('ServiceRole*'), 'Arn'] },
+      ]),
+    });
+
+    template.hasResourceProperties('AWS::IAM::Policy', {
+      PolicyDocument: Match.objectLike({ Statement: Match.arrayEquals([Match.objectLike({ Resource: Match.arrayWith([Match.objectLike({ 'Fn::GetAtt': [stack.getLogicalId(bucket.node.defaultChild as s3.CfnBucket), 'Arn'] })]) })]) }),
+    });
+  });
   test('roles can be directly attached to cluster during declaration', () => {
     // GIVEN
     const role = new iam.Role(stack, 'Role', {
@@ -796,6 +821,7 @@ describe('IAM role', () => {
     Template.fromStack(stack).hasResource('AWS::Redshift::Cluster', {
       Properties: {
         IamRoles: Match.arrayEquals([
+          { 'Fn::GetAtt': [Match.stringLikeRegexp('ServiceRole*'), 'Arn'] },
           { 'Fn::GetAtt': [Match.stringLikeRegexp('Role*'), 'Arn'] },
         ]),
       },
@@ -821,6 +847,7 @@ describe('IAM role', () => {
     Template.fromStack(stack).hasResource('AWS::Redshift::Cluster', {
       Properties: {
         IamRoles: Match.arrayEquals([
+          { 'Fn::GetAtt': [Match.stringLikeRegexp('ServiceRole*'), 'Arn'] },
           { 'Fn::GetAtt': [Match.stringLikeRegexp('Role*'), 'Arn'] },
         ]),
       },
@@ -848,6 +875,7 @@ describe('IAM role', () => {
     Template.fromStack(stack).hasResource('AWS::Redshift::Cluster', {
       Properties: {
         IamRoles: Match.arrayEquals([
+          { 'Fn::GetAtt': [Match.stringLikeRegexp('ServiceRole*'), 'Arn'] },
           { 'Fn::ImportValue': Match.stringLikeRegexp('NewTestStack:ExportsOutputFnGetAttRole*') },
         ]),
       },

diff --git a/...defaultiamrole.js.snapshot/DefaultIamRoleIntegDefaultTestDeployAssert161B8D72.assets.json b/...defaultiamrole.js.snapshot/DefaultIamRoleIntegDefaultTestDeployAssert161B8D72.assets.json
diff --git a/....snapshot/asset.b0de6372e1c756b7afa1a8a1d0a21ee4cd330150290abffc9bc163f285150514/index.js b/....snapshot/asset.b0de6372e1c756b7afa1a8a1d0a21ee4cd330150290abffc9bc163f285150514/index.js
diff --git a/....snapshot/asset.e5178afc49b7c6a85127a67856ce958e4f0879ce6aad5e974cac2a088bf939db/index.js b/....snapshot/asset.e5178afc49b7c6a85127a67856ce958e4f0879ce6aad5e974cac2a088bf939db/index.js
diff --git a/packages/@aws-cdk/aws-redshift-alpha/test/integ.cluster-defaultiamrole.js.snapshot/cdk.out b/packages/@aws-cdk/aws-redshift-alpha/test/integ.cluster-defaultiamrole.js.snapshot/cdk.out
diff --git a/...ages/@aws-cdk/aws-redshift-alpha/test/integ.cluster-defaultiamrole.js.snapshot/integ.json b/...ages/@aws-cdk/aws-redshift-alpha/test/integ.cluster-defaultiamrole.js.snapshot/integ.json
diff --git a/...s/@aws-cdk/aws-redshift-alpha/test/integ.cluster-defaultiamrole.js.snapshot/manifest.json b/...s/@aws-cdk/aws-redshift-alpha/test/integ.cluster-defaultiamrole.js.snapshot/manifest.json
diff --git a/...a/test/integ.cluster-defaultiamrole.js.snapshot/redshift-defaultiamrole-integ.assets.json b/...a/test/integ.cluster-defaultiamrole.js.snapshot/redshift-defaultiamrole-integ.assets.json
diff --git a/...test/integ.cluster-defaultiamrole.js.snapshot/redshift-defaultiamrole-integ.template.json b/...test/integ.cluster-defaultiamrole.js.snapshot/redshift-defaultiamrole-integ.template.json
@@ -408,6 +408,23 @@
     }
    }
   },
+  "Cluster1ServiceRole62B18E46": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "redshift.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
   "Cluster1Subnets31ACF7AC": {
    "Type": "AWS::Redshift::ClusterSubnetGroup",
    "Properties": {
@@ -477,6 +494,12 @@
     "DBName": "default_db",
     "Encrypted": true,
     "IamRoles": [
+     {
+      "Fn::GetAtt": [
+       "Cluster1ServiceRole62B18E46",
+       "Arn"
+      ]
+     },
      {
       "Fn::GetAtt": [
        "IAMF8C44BCA",
@@ -708,7 +731,7 @@
      "S3Bucket": {
       "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
      },
-     "S3Key": "e5178afc49b7c6a85127a67856ce958e4f0879ce6aad5e974cac2a088bf939db.zip"
+     "S3Key": "b0de6372e1c756b7afa1a8a1d0a21ee4cd330150290abffc9bc163f285150514.zip"
     },
     "Handler": "index.handler",
     "Role": {
@@ -725,6 +748,23 @@
     "AWS679f53fac002430cb0da5b7982bd2287ServiceRoleC1EA0FF2"
    ]
   },
+  "Cluster2ServiceRole7B955676": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "redshift.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    }
+   }
+  },
   "Cluster2SubnetsB040B959": {
    "Type": "AWS::Redshift::ClusterSubnetGroup",
    "Properties": {
@@ -794,6 +834,12 @@
     "DBName": "default_db",
     "Encrypted": true,
     "IamRoles": [
+     {
+      "Fn::GetAtt": [
+       "Cluster2ServiceRole7B955676",
+       "Arn"
+      ]
+     },
      {
       "Fn::GetAtt": [
        "IAMF8C44BCA",