Loading
Feature Disruption - Service Cloud VoiceRead More
Feature degradation | Gmail Email delivery failureRead More

Amazon Redshift Connector – IAM Connection vs Basic Connection

Publish Date: May 25, 2026
Description

Basic connection :
The basic connection type authenticates directly to the Redshift database using a static username and password. No AWS IAM layer is involved. While simple to configure, this approach relies on long-lived static credentials, which is generally considered less secure than token-based alternatives.

IAM connection:
The IAM connection type introduces an AWS identity layer on top of the standard database connection. Instead of using static database credentials, the connector uses IAM credentials or an IAM Role ARN to generate temporary credentials via the AWS Security Token Service (STS). Both connection types ultimately connect to Redshift via JDBC, so database-level details such as host, port, and database name are always required regardless of which type is used.

Why Access Key and Secret Key appear in IAM connection: 
The Access Key and Secret Key fields in the IAM connection configuration are a legacy UI requirement. When a Role ARN is configured, the connector uses the AssumeRole mechanism via AWS STS to obtain temporary credentials automatically, and the manually entered keys are not used at runtime.

The connector handles two internal scenarios. Without a Role ARN, it uses the provided AWS credentials directly to retrieve temporary database credentials. With a Role ARN, it first assumes the specified IAM role to obtain new temporary AWS credentials, then uses those to retrieve temporary database credentials.

Resolution

Configure IAM connection with Role ARN

Since the Access Key and Secret Key fields are not consumed when a Role ARN is configured, you can safely enter dummy as the value for both fields. Follow the steps below to complete the configuration.

  1. In Anypoint Studio or Runtime Manager, open the Amazon Redshift Connector configuration.
  2. Select IAM Connection as the connection type.
  3. Set Access Key to dummy and Secret Key to dummy.
  4. Enter your actual IAM Role ARN in the Role ARN field.
  5. Provide your actual Redshift Database, Host, Port, and User values.
  6. Click Test Connection to verify the setup.

Note: Using dummy for Access Key and Secret Key is valid only when a Role ARN is configured. The AssumeRoleCredentialsProvider retrieves real temporary credentials from AWS STS automatically — the placeholder values are never sent to AWS.

Warning: If no Role ARN is provided, valid AWS credentials must be supplied in the Access Key and Secret Key fields. Entering dummy values without a Role ARN will cause the connection to fail.

Enable debug logging for troubleshooting:

To troubleshoot connection issues, add the following logger packages to your application's log4j2.xml file.

  • com.mulesoft.connector.amazon.redshift.internal
  • org.mule.service.http.impl.service.HttpMessageLogger

The HTTP logger is particularly useful since IAM credential retrieval involves REST API calls to AWS STS.

Knowledge Article Number

005385408

 
Loading
Salesforce Help | Article