Not able to GetClusterCredentials using cross account

[alberhander]

I'm not sure if I'm trying to do something that it's not supported by the module.

In our organization, we manage multiple AWS accounts. For these tests, we have the following scenario:

• Terraform is run with the user's credentials from account A (id: 58xxxxxx), while the redshift cluster was created in account B (82xxxxxx).
• The user account has permission to assume any role, and we have one role on the (redshift) account that provides admin access to every AWS resource. This method works with no problems for creating the Redshift cluster or any other AWS resource.

When I try to use this module, I'm getting the following error when doing terraform plan:

Error: operation error Redshift: GetClusterCredentials, https response error StatusCode: 403, RequestID: c4d960a3-47d2-4f8d-bda4-995cc1055d5f, api error AccessDenied: User: arn:aws:iam::58xxxxxx:user/terraform-user is not authorized to perform: redshift:GetClusterCredentials on resource: arn:aws:redshift:us-east-1:58xxxxxx:dbuser:redshift-test-9597/redshift_test_admin_6112

I guess the user is trying to access the GetClusterCredentials method without assuming the necessary role, as there's no such option in the module. It works if the Redshift cluster is located in the user's project.

[winglot]

Hi,
currently GetClusterCredentials does not support cross-account access. To be able to do this, it would have to first do an AssumeRole operation as you pointed out.