Skip to main content

Linking Redshift as a Source

This guide walks through connecting a Redshift cluster to Actioneer. The setup creates a dedicated database user with SELECT-only permissions on the schemas you specify.
  
  Prerequisites  AWS account with a Redshift cluster, Actioneer account
  Access granted  SELECT queries on specified schemas
  Estimated time  ~20 minutes
  Actioneer IP  35.244.14.238
Actioneer cannot insert, update, delete, or modify any data, tables, or cluster settings.
1

Locate your Redshift cluster endpoint and database name

Three values are needed from the AWS Console.
  1. Sign in at console.aws.amazon.com and open the Amazon Redshift service.
  2. Click Clusters in the left sidebar and select your cluster.
  3. On the General information tab, copy the Endpoint. It follows the format my-cluster.abc123.us-east-1.redshift.amazonaws.com:5439. The address before the colon is the Host. The number after the colon is the Port. Always use the port shown in your endpoint — 5439 is the AWS default, but it is not guaranteed.
  4. Note the Database name shown on the same page (e.g., analytics).
  Field  Location  Value Example
  Host  Cluster endpoint (without port)  my-cluster.abc123.us-east-1.redshift.amazonaws.com
  Port  Cluster endpoint (after the colon)  5439
  Database  General information tab  analytics
2

Create a read-only database user

Connect to your Redshift cluster using a SQL client (Redshift Query Editor, DBeaver, or psql) and run the following. Replace YOUR_SCHEMA with the schema Actioneer should query.
-- Create a dedicated read-only user
CREATE USER actioneer_readonly
  PASSWORD 'Choose-A-Strong-Password-Here'
  CONNECTION LIMIT 5;

-- Grant schema access
GRANT USAGE ON SCHEMA YOUR_SCHEMA TO actioneer_readonly;

-- Grant read access to all existing tables
GRANT SELECT ON ALL TABLES IN SCHEMA YOUR_SCHEMA TO actioneer_readonly;

-- Ensure future tables are also readable
ALTER DEFAULT PRIVILEGES IN SCHEMA YOUR_SCHEMA
  GRANT SELECT ON TABLES TO actioneer_readonly;
Replace YOUR_SCHEMA with your actual schema name (e.g., public or reporting). Run the GRANT statements for each schema Actioneer should access.
Save the password you set for actioneer_readonly. You will enter it in Actioneer in the next step. Store it in a password manager.
3

Allow Actioneer's IP address

Redshift clusters are typically inside a VPC. Actioneer needs an inbound rule on the cluster’s security group to connect.
  1. In the AWS Console, open Amazon Redshift and select your cluster.
  2. On the Properties tab, under Network and security, click the linked VPC security group.
  3. Click Inbound rules → Edit inbound rules.
  4. Add a rule: Type = Custom TCP, Port = the port from Step 1, Source = Custom35.244.14.238/32.
  5. Click Save rules.
Your Redshift cluster must be publicly accessible for Actioneer to connect directly. Check the Publicly accessible setting on the cluster’s Properties tab. If it is set to No, either enable it (Cluster → Actions → Modify publicly accessible setting) or use Actioneer’s SSH Tunnel option to connect through a bastion host in your VPC.
4

Connect Redshift in Actioneer

  1. In Actioneer, click Data in the left sidebar.
  2. Select Amazon Redshift from the list of data sources.
  3. When prompted, select Direct Connection.
  4. Complete the connection form:
  Field  Value
  Connection Name  A descriptive label, e.g. Production Redshift
  Host  From Step 1 — cluster endpoint without the port
  Port  From Step 1
  Database Name  From Step 1 (e.g., analytics)
  Username  actioneer_readonly
  Password  The password set in Step 2
  SSH Tunnel  Optional — enable to connect through a bastion host if your cluster is not publicly accessible
  1. Click Connect.

Common questions

No. The actioneer_readonly user holds only SELECT and USAGE grants. It cannot insert, update, delete, or drop any objects in your cluster.
All credentials are encrypted at rest with AES-256 and encrypted in transit with TLS 1.3. They are never stored in plain text or logged. Actioneer is SOC 2 Type II certified, ISO 27001 certified (audited by Schellman), and GDPR compliant.

Need a hand?

Stuck on a step or running into an error? Reach out at connect@actioneer.com.