Skip to main content
Connect to Redshift

1. Redshift Credential Setup

It’s recommended to create a dedicated Redshift user with:
  • broad read access to the source schemas you want Margin to model
  • permission to create/manage schemas inside your designated Redshift database
If you’d prefer to use an existing user, ensure it has both sets of privileges.

Create a Redshift User and Permissions

Below is a step-by-step guide to set up a Redshift user with the necessary permissions:
Locations to fill in required fields are highlighted in green
-- Margin user/group details--------------
SET margin_password = '<a secure password>';
SET margin_database = '<database>';                 -- e.g. 'analytics'
SET source_schema_1 = '<schema>';                   -- e.g. 'public'
SET source_table_1  = '<table>';                    -- e.g. 'events'

-- Create Margin user and group
CREATE USER margin_user PASSWORD '${margin_password}';
CREATE GROUP margin_role;
ALTER GROUP margin_role ADD USER margin_user;

-- Allow Margin to create/manage its own schemas in the target database
GRANT CREATE ON DATABASE ${margin_database} TO GROUP margin_role;
GRANT TEMPORARY ON DATABASE ${margin_database} TO GROUP margin_role;

-- Grant read access to source schema(s)
GRANT USAGE ON SCHEMA ${source_schema_1} TO GROUP margin_role;
GRANT SELECT ON ALL TABLES IN SCHEMA ${source_schema_1} TO GROUP margin_role;

-- Optional: grant specific tables only instead of all tables
-- GRANT SELECT ON TABLE ${source_schema_1}.${source_table_1} TO GROUP margin_role;

-- Set up default privileges for future tables
ALTER DEFAULT PRIVILEGES IN SCHEMA ${source_schema_1}
GRANT SELECT ON TABLES TO GROUP margin_role;

-- Optional: explicitly exclude sensitive tables
-- REVOKE SELECT ON TABLE ${source_schema_1}.<sensitive_table> FROM GROUP margin_role;

-- If you need to restrict access to sensitive data, create a filtered view
CREATE SCHEMA IF NOT EXISTS margin_secure;

CREATE OR REPLACE VIEW margin_secure.secure_${source_table_1}_view AS
SELECT
    id,
    event_name,
    timestamp,
    non_sensitive_column1,
    non_sensitive_column2
    -- Omit sensitive columns like PII, financial data, etc.
FROM ${source_schema_1}.${source_table_1};

-- Grant access to the view
GRANT SELECT ON margin_secure.secure_${source_table_1}_view TO GROUP margin_role;

-- Margin should be able to create/drop schemas it owns in the workspace database
CREATE SCHEMA IF NOT EXISTS margin_validation_schema;
CREATE TABLE margin_validation_schema.permission_check (id INT);
DROP TABLE margin_validation_schema.permission_check;
DROP SCHEMA margin_validation_schema;
If you need to connect to multiple databases, reach out to [email protected], we can enable this for you.

2. Redshift Connection Configuration

A. Add a Redshift Source in Margin

Go to your Integrations page in the Margin dashboard & click Add Source and select Amazon Redshift.

B. Enter Redshift Credentials

Enter the following required fields into Margin:
FieldDescription
HostThe hostname or IP address of your Redshift cluster. You can find this in the AWS Redshift console by selecting your cluster and looking at the Endpoint string (exclude the port and database name).
PortThe port number for your Redshift cluster. The default is 5439, but yours may be different.
DatabaseThe name of the database in your Redshift cluster that contains your data.
Username & PasswordFor the margin_user you created (or an existing user with the necessary privileges).
SchemaDefault schema for initial queries. Margin can create and manage additional schemas in the same database as needed.
For security, we recommend that you allowlist Margin’s IP addresses in your security group to allow connections to your Redshift cluster. Please reach out to [email protected] for our current IP addresses.

3. Testing the Connection

When you set up Redshift, Margin verifies:
  1. Basic connectivity check: Network connection & credential validation
  2. Verify user can manage objects in Margin-managed schemas:
    • Table lifecycle (CREATE, INSERT, SELECT, UPDATE, DELETE)
    • View creation and access
    • Ability to execute queries on the source tables
Sometimes the initial test might time out, especially if Redshift is resuming from a paused state. Simply click Test again to retry.

4. Advanced Connection Options

Using an SSH Tunnel

If your Redshift cluster is in a private VPC without public access, you can connect via an SSH tunnel:
  1. Select SSH Tunnel as the connection type
  2. Provide the SSH host, port, username, and authentication method (password or key)
  3. The SSH server must have network access to your Redshift cluster
For enterprise customers, you can securely connect to your Redshift cluster using AWS PrivateLink:
  1. Contact [email protected] to enable this feature
  2. Our team will provide guidance for setting up the PrivateLink connection

Next Steps

Once the connection is established, you can connect your finance sources to model over your event data.

Sources: Finance Data

Connect your finance data sources