Amazon Redshift
Connect an Amazon Redshift cluster with a connection string or AWS IAM credentials.
Reads tables and views from an Amazon Redshift cluster. Redshift speaks the Postgres wire protocol; queries run read-only.
Add a source
Redshift supports a connection string (a database user) and AWS IAM (temporary credentials, no stored password).
Prerequisites
- A Redshift cluster reachable from the connector.
- A user with read access, or an IAM role/user allowed to call
GetClusterCredentials.
Create a read-only user
CREATE USER flitch_readonly PASSWORD 'choose-a-strong-password';
GRANT USAGE ON SCHEMA public TO flitch_readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO flitch_readonly;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO flitch_readonly;Find the endpoint
In the AWS Console, open Redshift → Clusters → your cluster → General information. The JDBC URL gives the endpoint, port (5439), and database. Build:
postgresql://flitch_readonly:password@your-cluster.abc123.us-east-1.redshift.amazonaws.com:5439/dev?sslmode=requireOpen the form
Go to Data → Add → Amazon Redshift, paste the connection string, then pick datasets.
Allow GetClusterCredentials
Create an IAM role or user permitted to call redshift:GetClusterCredentials for the cluster and database user.
Open the form
Go to Data → Add → Amazon Redshift, pick AWS IAM, and provide the region, cluster identifier, and database user.
Pick datasets
Flitch mints short-lived credentials per query, so no password is stored.
Network access
Flitch connects from its own server, not your browser, so the cluster's security group must allow Flitch's connector egress IP, not your own IP.
- Make the cluster Publicly accessible (Modify cluster), or otherwise reachable from the connector network.
- In the cluster's VPC security group, add an inbound rule: Custom TCP, port
5439, source = the connector egress IP (shown in the Add Source form) asx.x.x.x/32.
Adding "My IP" allowlists your machine, not Flitch's connector, so the connection will time out. Use the connector egress IP from the form.
Team-wide credential (optional)
A team admin can store one shared Redshift credential in Settings → Data connections; new connections then default to it, with no per-connection secret.
Refresh
Refresh is off by default. Enable it to schedule a background refresh and serve from cache between runs. See Refresh.
Troubleshooting
Connection timed out. Usually the security group: confirm the egress IP is allowed on 5439 and the cluster is publicly accessible (or reachable from the connector network).
Permission denied. Grant SELECT to the read-only user for the schema.