How to Resolve the AccessToClusterDenied: You Haven't Been Granted Authorization to Create an Endpoint Error Message

Issue

You receive the following error message from Redshift:

creating Redshift endpoint access: AccessToClusterDenied: You haven't been granted authorization to create an endpoint

Environment

• All database connectors
• Connection method: Private networking

Understanding the problem

Amazon Redshift endpoint access (AWS PrivateLink for Redshift) allows you to privately connect to your Redshift cluster from other VPCs or AWS accounts without traversing the public internet. This involves creating an EndpointAccess resource.

The error indicates that you're attempting to create Redshift endpoint access with a user or role that doesn't have the required permissions.

Resolution

Attach an IAM policy with the required permissions to the user or role that is attempting to create the Redshift endpoint access. The primary permission required is redshift:CreateEndpointAccess. You might also need permissions to describe clusters and subnets.

1. Determine which user or role needs the permissions. If you're using the AWS CLI, check your configured credentials. If it's an application, check the role attached to the EC2 instance or service.

2. Either create a new IAM policy or add these permissions to an existing policy:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "redshift:CreateEndpointAccess", # Allows creating the endpoint.
                   "redshift:DeleteEndpointAccess", # Allows deleting the endpoint (good for cleanup).
                   "redshift:DescribeEndpointAccess", # Allows viewing information about the endpoints.
                   "redshift:DescribeEndpointAccesss" # plural for older APIs, safe to include both
               ],
               "Resource": "arn:aws:redshift:<region>:<account-id>:cluster:<cluster-name>" # Replace <region>, <account-id>, and <cluster-name> with your actual values. You can use '*' for all clusters if needed, but it's less secure.
           },
           {
               "Effect": "Allow",
               "Action": [
                   "ec2:DescribeSubnets",
                   "ec2:DescribeVpcs",
                   "ec2:CreateNetworkInterface", # Required because Redshift creates ENIs in your specified subnets as part of managing the endpoint. 
                   "ec2:DeleteNetworkInterface", # Required because Redshift deletes ENIs in your specified subnets as part of managing the endpoint.
                   "ec2:DescribeNetworkInterfaces"
               ],
               "Resource": "*" # The resource for these EC2 actions is typically '*' because you might not know the exact ENI ARNs beforehand.
           }
       ]
   }
   

   Remove the comments that start with # from the IAM policy before applying it.

3. Attach the policy to a user or role through the AWS Console:

   • Go to IAM in the AWS Management Console.
   • Select Users or Roles, depending on what you're using.
   • Search for the specific user or role.
   • On the user/role's summary page, go to the Permissions tab.
   • Click Add permissions.
   • Choose Attach policies directly or Create inline policy.
     • If attaching an existing policy, search for a policy that contains these permissions.
     AmazonRedshiftFullAccess contains these permissions, but this policy is overly permissive for just endpoint access.

     • If creating an inline policy:
       • Select the JSON tab.
       • Paste the JSON policy provided above.
       • Click Review policy.
       • Give it a meaningful name, such as RedshiftEndpointAccessPolicy.
       • Click Create policy or Create role.

4. Once the policy is attached, try creating the Redshift endpoint access again.

   Always follow the principle of least privilege. Instead of granting AmazonRedshiftFullAccess, create a custom policy that includes only the specific actions required for endpoint access.