- Newest
- Most votes
- Most comments
You need to specify a particular resource or use * to allow all. I see the * is missing in between the quotes "Resource": "" , or it could be formatting issue.
Hello,
Probably very late to the conversation, but in case anyone encounters this issue again: The most likely cause is the fact that enhanced routing is enabled. When you enable this feature, AWS will provision a VPC endpoint in charge of the connectivity to any external data source required by Redshift.
In this specific case, when trying to load the external schema, that endpoint will try to communicate with the Kinesis public endpoint through the routing rules defined by the subnets on which the Redshift cluster was deployed. If the subnets have no proper route to reach Kinesis, it will cause the timeout error.
To fix this issue (and assuming Redshift is deployed in a private subnet and without public access enabled), perform one of these two actions:
- Deploy a NAT Gateway on a public subnet and create a route on the route table(s) associated to the private subnets to direct public traffic to the NAT Gateway
- Deploy a VPC interface endpoint for the service Kinesis. Take the following CLI command as reference, changing the proper values for your VPC/subnets:
aws ec2 create-vpc-endpoint --region <region> --vpc-id <vpc-id> --service-name com.amazonaws.<region>.kinesis-streams --vpc-endpoint-type Interface --subnet-ids <subnet-id1> <subnet-id2> --security-group-ids <sg-id> --policy-document '{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"*\",\"Resource\":\"*\",\"Effect\":\"Allow\",\"Principal\":\"*\"}]}
References:
- https://repost.aws/knowledge-center/redshift-enhanced-vpc-routing
- https://docs.aws.amazon.com/streams/latest/dev/vpc.html
Regards
Relevant content
- AWS OFFICIALUpdated 10 months ago
