I'm curious if anyone has experience using dbt with Redshift, particularly regarding the safest methods to grant developers access. Their local setups would need to connect to a production Redshift in a specific _DEV schema. We do have a separate AWS dev account, but it won't work for us for various reasons. While I could use a VPN, I'm looking for options that create less friction and limit security risks. It's worth noting that access restrictions at the security group level aren't effective since developers' IP addresses change frequently.
3 Answers
Another modern solution is using Cloudflare Zero Trust. You just need to run a cloudflared docker container inside your Redshift VPC to create a secure tunnel to RDS.
Have you thought about setting up an SSH tunnel through a jump station? It could provide a safe way to connect while keeping your setup secure.
One option to consider is using the SSM Session Manager. You could connect to an EC2 instance that's in the same private subnet as your Redshift cluster. This method allows secure access without exposing Redshift directly to the internet. I found a useful article that explains how to set this up: https://repost.aws/articles/AR_6F1CF0dRMCwDkC-2cNJUQ/access-a-private-amazon-redshift-from-a-local-machine-via-a-private-ec2-instance.
Yeah, this or a VPN client are both reasonable approaches!
Just be cautious if you expose your VPC through port 22 on a public instance; that can be a security risk.