Redshift
This is a step by step guide to integrate Redshift and Querio.
1. Create a Read‑Only Database User
What: Establish a login that Querio will use to query your warehouse.
How (SQL)
-- Replace <STRONG_PASSWORD> with a password you generate
CREATE USER querio_reader WITH PASSWORD '<STRONG_PASSWORD>';You must run this as a superuser or an admin role that has CREATEUSER permission. (AWS Redshift CREATE USER)
2. Grant Required Privileges
Redshift follows the PostgreSQL permission model: without an explicit GRANT the new user cannot see anything. Give the minimal access Querio needs:
2.1 Grant Access to Analytics Schemas
This will give Querio access to the data used for analytics.
GRANT USAGE ON SCHEMA YOUR-SCHEMA TO querio_reader;
GRANT SELECT ON ALL TABLES IN SCHEMA YOUR-SCHEMA TO querio_reader;
ALTER DEFAULT PRIVILEGES IN SCHEMA YOUR-SCHEMA
GRANT SELECT ON TABLES TO querio_reader;- Replace
YOUR-SCHEMAabove with the desired analytics schemas (e.g.,public,analytics,mart) USAGElets the user reference objects in the schema. (AWS Redshift GRANT USAGE)SELECTgrants read access to existing tables. (AWS Redshift GRANT SELECT)ALTER DEFAULT PRIVILEGESensures future tables are also visible. (AWS Redshift ALTER DEFAULT PRIVILEGES)
2.2 Grant Access to Information Schema
This will give Querio access to the necessary metadata used to understand your data structure.
-- -----------------------------
-- Introspection metadata access
-- Allows Querio to read INFORMATION_SCHEMA views
-- (tables, columns, foreign keys, etc.)
-- -----------------------------
GRANT USAGE ON SCHEMA information_schema TO querio_reader;
GRANT SELECT ON ALL TABLES IN SCHEMA information_schema TO querio_reader;3. Whitelist Querio's Outbound IP (Port 5439)
What: Allow Querio’s analytics engine (running in AWS) to reach your Redshift cluster on the default PostgreSQL port (5439) by adding an inbound rule that targets our fixed egress IP.
Querio IP address
| Environment | Source IP |
|---|---|
| Production | provided upon request |
| Staging | provided upon request |
How (AWS Console)
- Open the Amazon Redshift console → Clusters → your‑cluster → Network and security tab.
- Note the VPC security groups attached to the cluster. Click the group ID to open it in the EC2 Security Groups page.
- Inbound rules → Edit inbound rules → Add rule:
- Type: Redshift (TCP 5439)
- Source: Custom → paste
provided upon request - Description:
Querio outbound production IP
- Inbound rules → Edit inbound rules → Add rule:
- Type: Redshift (TCP 5439)
- Source: Custom → paste
provided upon request - Description:
Querio outbound staging IP
- Save rules.
How (AWS CLI)
aws ec2 authorize-security-group-ingress \
--group-id sg-0123456789abcdef0 \
--protocol tcp --port 5439 \
--cidr provided upon request \
--description "Querio outbound production IP"
aws ec2 authorize-security-group-ingress \
--group-id sg-0123456789abcdef0 \
--protocol tcp --port 5439 \
--cidr provided upon request \
--description "Querio outbound staging IP"To enforce encrypted transport, enable the parameter require_SSL=true in your cluster (or workgroup) parameter group. (AWS Redshift require_SSL parameter)
4. Collect & Share Connection Details for Querio
What to Collect
| Field | Where to find it | Example |
|---|---|---|
| Host | Redshift console ➜ Clusters ➜ cluster name ➜ Endpoint | my-cluster.abc123.us-east-1.redshift.amazonaws.com |
| Port | Same screen (default 5439) | 5439 |
| Database | The DB you want Querio to query (often dev or analytics) | analytics |
| Username | The user you created in step 1 | querio_reader |
| Password | The strong password you generated | — |
Once collected, share these details with the Querio team:
Host: ________________________
Port: 5439
Database: ________________________
Username: querio_reader
Password: ________________________
SSL: required