Configure the Amazon Redshift data source
This document explains how to configure the Amazon Redshift data source in Grafana, including authentication methods, connection settings, provisioning, and Terraform configuration.
Before you begin
Before you configure the data source, ensure you have the following:
- Grafana permissions: An organization administrator role in Grafana.
- AWS account: An AWS account with either a Redshift provisioned cluster or a Redshift Serverless workgroup.
- IAM permissions: An IAM identity (user or role) with the required Redshift Data API permissions. Refer to IAM policies for the minimum required permissions.
- Database credentials: Either temporary credentials through IAM or a managed secret stored in AWS Secrets Manager.
Key concepts
If you’re new to Amazon Redshift or AWS, the following terms are used throughout this documentation:
Add the data source
To add the Amazon Redshift data source to Grafana:
- Click Connections in the left-side menu.
- Click Add new connection.
- Type Amazon Redshift in the search bar.
- Select Amazon Redshift.
- Click Add new data source.
Configure connection settings
The connection section configures how Grafana authenticates with AWS. For detailed information about AWS authentication options, refer to AWS authentication.
Configure Redshift details
The Redshift details section configures how Grafana connects to your specific Redshift environment. These settings appear under the Redshift Details heading in the configuration page.
Database authentication
Choose how Grafana authenticates with your Redshift database. There are two options:
- Temporary credentials – Generates temporary database credentials using the AWS
GetClusterCredentialsAPI (for provisioned clusters) orGetCredentialsAPI (for Redshift Serverless). This is the default. - AWS Secrets Manager – Uses database credentials stored in AWS Secrets Manager. Secrets must be tagged with the
RedshiftQueryOwnertag to appear in the drop-down. Refer to Storing database credentials in AWS Secrets Manager for instructions on creating compatible secrets.
Note
When using AWS Secrets Manager with Redshift Serverless, the workgroup name isn’t stored in the secret. You must configure the Workgroup field separately.
Redshift details settings
Private data source connect (Grafana Cloud only)
If you use Grafana Cloud and your Redshift cluster is in a private VPC that isn’t directly accessible, you can use Private data source connect (PDC) to securely connect Grafana Cloud to your data source without opening your network to inbound traffic.
When PDC is enabled for your Grafana Cloud instance, a Private data source connect section appears below the Redshift Details configuration. Select the Private data source connect network where your Redshift cluster is available. Click Manage private data source connect networks to configure networks.
Note
Private data source connect is available exclusively in Grafana Cloud. For self-managed Grafana instances, use VPC peering, a VPN, or AWS PrivateLink to connect to private Redshift clusters.
For setup instructions, refer to Private data source connect.
IAM policies
Grafana needs IAM permissions to query Redshift through the Data API. You can attach the required permissions to an IAM user or role. Refer to Creating IAM policies for instructions. AWS also provides predefined managed policies for Redshift.
The following policy provides the minimum permissions required:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowRedshiftDataAPI",
"Effect": "Allow",
"Action": [
"redshift-data:ListTables",
"redshift-data:DescribeTable",
"redshift-data:GetStatementResult",
"redshift-data:DescribeStatement",
"redshift-data:ListStatements",
"redshift-data:ExecuteStatement",
"redshift-data:CancelStatement",
"redshift-data:ListSchemas",
"redshift:GetClusterCredentials",
"redshift:DescribeClusters",
"redshift-serverless:ListWorkgroups",
"redshift-serverless:GetCredentials",
"secretsmanager:ListSecrets"
],
"Resource": "*"
},
{
"Sid": "AllowReadingRedshiftQuerySecrets",
"Effect": "Allow",
"Action": ["secretsmanager:GetSecretValue"],
"Resource": "*",
"Condition": {
"Null": {
"secretsmanager:ResourceTag/RedshiftQueryOwner": "false"
}
}
}
]
}The second statement restricts GetSecretValue access to only secrets that have the RedshiftQueryOwner tag, which is required for Secrets Manager integration.
Note
For async query support, your IAM policy must include the
redshift-data:ListStatementsandredshift-data:CancelStatementactions.
Verify the connection
Click Save & test to verify that the data source is configured correctly. Grafana runs a SELECT 1 query against your Redshift environment to confirm the connection is working. A success message indicates the authentication, network connectivity, and database access are all configured correctly.
Provision the data source
You can define and configure the Redshift data source using YAML files as part of the Grafana provisioning system. For more information about provisioning, refer to Provision Grafana.
The following examples show common provisioning configurations.
AWS SDK default
apiVersion: 1
datasources:
- name: Redshift
type: grafana-redshift-datasource
jsonData:
authType: default
defaultRegion: us-east-2
clusterIdentifier: my-redshift-cluster
database: mydb
dbUser: adminCredentials profile
apiVersion: 1
datasources:
- name: Redshift
type: grafana-redshift-datasource
jsonData:
authType: credentials
defaultRegion: us-east-2
profile: secondary
clusterIdentifier: my-redshift-cluster
database: mydb
dbUser: adminAccess & secret key
apiVersion: 1
datasources:
- name: Redshift
type: grafana-redshift-datasource
jsonData:
authType: keys
defaultRegion: us-east-2
clusterIdentifier: my-redshift-cluster
database: mydb
dbUser: admin
secureJsonData:
accessKey: <YOUR_ACCESS_KEY>
secretKey: <YOUR_SECRET_KEY>To use temporary AWS credentials from STS, add a sessionToken to secureJsonData:
secureJsonData:
accessKey: <YOUR_ACCESS_KEY>
secretKey: <YOUR_SECRET_KEY>
sessionToken: <YOUR_SESSION_TOKEN>Assume role
apiVersion: 1
datasources:
- name: Redshift
type: grafana-redshift-datasource
jsonData:
authType: default
defaultRegion: us-east-2
assumeRoleArn: arn:aws:iam::123456789012:role/redshift-access
clusterIdentifier: my-redshift-cluster
database: mydb
dbUser: adminRedshift Serverless
apiVersion: 1
datasources:
- name: Redshift Serverless
type: grafana-redshift-datasource
jsonData:
authType: default
defaultRegion: us-east-2
useServerless: true
workgroupName: my-workgroup
database: mydbPrivate data source connect
apiVersion: 1
datasources:
- name: Redshift
type: grafana-redshift-datasource
jsonData:
authType: default
defaultRegion: us-east-2
clusterIdentifier: my-redshift-cluster
database: mydb
dbUser: admin
enableSecureSocksProxy: trueProvision with Terraform
You can use the Grafana Terraform provider to provision the Redshift data source as code. The following examples demonstrate common configurations using the grafana_data_source resource.
Access & secret key with Terraform
resource "grafana_data_source" "redshift" {
type = "grafana-redshift-datasource"
name = "Amazon Redshift"
json_data_encoded = jsonencode({
authType = "keys"
defaultRegion = "us-east-2"
clusterIdentifier = "my-redshift-cluster"
database = "mydb"
dbUser = "admin"
})
secure_json_data_encoded = jsonencode({
accessKey = var.aws_access_key
secretKey = var.aws_secret_key
})
}To use temporary AWS credentials from STS, add sessionToken to secure_json_data_encoded:
secure_json_data_encoded = jsonencode({
accessKey = var.aws_access_key
secretKey = var.aws_secret_key
sessionToken = var.aws_session_token
})Assume role with Terraform
resource "grafana_data_source" "redshift" {
type = "grafana-redshift-datasource"
name = "Amazon Redshift"
json_data_encoded = jsonencode({
authType = "default"
defaultRegion = "us-east-2"
assumeRoleArn = "arn:aws:iam::123456789012:role/redshift-access"
clusterIdentifier = "my-redshift-cluster"
database = "mydb"
dbUser = "admin"
})
}Redshift Serverless with Terraform
resource "grafana_data_source" "redshift_serverless" {
type = "grafana-redshift-datasource"
name = "Redshift Serverless"
json_data_encoded = jsonencode({
authType = "default"
defaultRegion = "us-east-2"
useServerless = true
workgroupName = "my-workgroup"
database = "mydb"
})
}For more information, refer to the grafana_data_source resource in the Grafana Terraform provider documentation.


