Amazon Redshift runtime on Docker

Install Amazon Redshift Self-Deployed Runtime using Docker.

Prerequisites

Before you begin, make sure you have:

Docker ecosystem (Docker Engine, Docker CLI, Docker Compose).
A Docker Hub Personal Access Token (PAT) from Atlan
Object storage: AWS S3, Google Cloud Storage, or Azure Blob Storage with read/write permissions
Secret store access: AWS Secret Manager, Azure Key Vault, GCP Secret Manager, or HashiCorp Vault with read permissions

Generate client credentials

OAuth client credentials are required for the Self-Deployed Runtime app deployment to authenticate successfully to the Atlan tenant. Follow these steps to generate client credentials:

Generate the API token by following the steps in API access documentation.

Create client credentials for App authentication using the Atlan API. Replace {{tenant}} with your Atlan tenant name and {{App Name}} with your application identifier:

curl --location 'https://{{tenant}}.atlan.com/api/service/oauth-clients' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <API token>' \
--data '{
  "displayName": "{{App Name}}-agent-client",
  "description": "Client for agent oauth for {{App Name}}",
  "scopes": ["events-app-permission-scope","temporal-app-permissions-scope"]
}'

Replace <API token> with the token you generated in step 1.

Example API response:

{
  "clientId": "oauth-client-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "clientSecret": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "createdAt": "1756112939595",
  "createdBy": "john.doe",
  "description": "Client for agent oauth for {{App Name}}",
  "displayName": "{{App Name}}-agent-client",
  "id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "tokenExpirySeconds": 600
}

Save the clientId and clientSecret values securely. You need these for the deployment configuration.

Prepare deployment environment

Download the Amazon Redshift app deployment package from Atlan's Docker registry. The package contains the container images and configuration templates required to run the app in your environment.

Use the Personal Access Token (PAT) provided by Atlan to authenticate with Docker Hub:
```
docker login -u atlanhq
# When prompted for password, enter the PAT provided by Atlan
```
A "Login Succeeded" message confirms successful authentication.

Download the runtime zip:

curl -O https://atlan-public.s3.amazonaws.com/redshift-app/docker-compose-with-binary.tar.gz
tar -xvf docker-compose-with-binary.zip

This command downloads and extracts the deployment configuration files.

Optional Depending on organizational requirements, you may need to replicate images from Docker Hub to a private image repository. The specific steps vary by organization, here's one approach:
- Pull the required connector image via Docker CLI:
```
docker pull atlanhq/atlan-redshift-app:main-8f855a2abcd
```
  The command requires the same Docker Hub PAT from Atlan support that you used in step 1 for authentication
- Push the image to your enterprise's registry. Note down the repository name and image tag generated.

Configure `config.yaml`

Customize the deployment by modifying the config.yaml file in the extracted directory:

Configure general settings

Follow these steps to edit the config.yaml file and update the details:

Update Atlan tenant URL and app credentials:
```
version: "1.0"
apps:
  name: "redshift"
  domain: "<tenant-name>.atlan.com"
  client_id: "<client-id>"
  client_secret: "<client-secret>"
  port: 8000
```
- Replace <tenant-name> with your Atlan tenant name.
- Replace <client-id> and <client-secret> that you generated in Generate client credentials section.

Configure object storage

Self-Deployed Runtime needs a store for reading or writing files. Configure the object storage that matches your environment:

Did you know?

Dapr supports additional objects stores which aren't mentioned below. For more information, see Dapr object store documentation for other configurations.

Local file path
AWS S3
Google Cloud Storage
Azure Blob Storage

Locate the objectstore attribute in config.yaml.
Add local file path configuration for Docker volume mounts.

objectstore:
  type: "local"
  root_path: "/data/storage"

Note: Mount a Docker volume to the specified path in your docker-compose.yml file. This is the recommended option for Docker and local development environments where files can be stored on the host filesystem. Example Docker Compose volume mount:

volumes:
  - ./data:/data/storage

Locate the objectstore attribute in config.yaml.
Add AWS S3 configuration. For more information, see AWS S3 Binding Spec.

objectstore:
  type: "s3" 
  bucket: "bucket-name"
  region: "us-east-1"
  use_iam_auth: true
  access_key: ""
  secret_key: ""

Locate the objectstore attribute in config.yaml.
Add Google Cloud Storage configuration. For more information, see GCP Storage Bucket binding spec.

objectstore:
  type: "gcs"
  bucket: "my-company-bucket"
  project_id: "my-gcp-project"
  use_iam_auth: false
  service_account_key: "path/to/service-account.json"

Locate the objectstore attribute in config.yaml.
Add Azure Blob Storage configuration. For more information, see Azure Blob Storage binding spec.

objectstore:
  type: "azure-blob"
  account_name: "mystorageaccount"
  container_name: "my-container"
  use_iam_auth: false
  account_key: "your-storage-account-key"

Configure secret storage

Self-Deployed Runtime fetches secrets from a secret store to connect to the source systems. The secret store references are used to configure the workflow. Configure the secret store that aligns with your security infrastructure:

Did you know?

Dapr supports additional secret stores which aren't mentioned below. For more information, see Dapr secret store documentation for other configurations.

Local file
AWS Secrets Manager
Azure Key Vault
GCP Secret Manager
HashiCorp Vault

Locate the secretstore attribute in config.yaml.
Add local file secret store configuration. For more information, see Local file secret store.

secretstore:
  type: "local.file"
  secrets_file: "/path/to/secrets.json"
  nested_separator: ":"

Note: Create a JSON file at the specified path containing your secrets in key-value format. Set appropriate file permissions and secure the file. This is the recommended secret store for Docker and local development environments.

Locate the secretstore attribute in config.yaml.
Add AWS Secret Manager configuration. For more information, see AWS Secrets Manager.

secretstore:
  type: "aws-secret-manager"
  region: "ap-south-1"
  use_iam_auth: true
  access_key: ""
  secret_key: ""

Locate the secretstore attribute in config.yaml.
Add Azure Key Vault configuration. For more information, see Azure Key Vault secret store.

secretstore:
  type: "azure-keyvault"
  vault_url: "https://my-vault.vault.azure.net/"
  tenant_id: "your-tenant-id"
  client_id: "your-client-id"
  client_secret: "your-client-secret"

Azure Key Vault supports multiple authentication methods:

Client Secret: Use client_secret with tenant ID and client ID
Certificate: Use certificate authentication instead of client secret
Managed Identity: Omit authentication fields and use Azure managed identity

For detailed authentication setup, see the Authenticating to Azure documentation.

Locate the secretstore attribute in config.yaml.
Add Google Cloud Secret Manager configuration. For more information, see GCP Secret Manager.

secretstore:
  type: "gcp"
  project_id: "my-gcp-project"
  use_iam_auth: false
  service_account_key: "path/to/service-account.json"

Locate the secretstore attribute in config.yaml.
Add HashiCorp Vault configuration. For more information, see HashiCorp Vault.

secretstore:
  type: "hashicorp-vault"
  vault_url: "https://vault.mycompany.com"
  vault_token: "your-vault-token"

Deploy runtime

Follow these steps to deploy secure App:

Generate the required setup files:

./atlan-configurator -input ../config.yaml

Start the deployment:
```
docker compose up -d
```

The deployment process typically takes a few minutes to complete depending on factors like network connectivity and image download time.

For more information on Docker Compose commands and configuration, see the Docker Compose documentation.

Verify deployment

Follow these steps to verify the deployment:

Verify container

Check container status:

docker compose ps

The output appears similar to:

NAME                IMAGE                                    COMMAND                  SERVICE             CREATED             STATUS              PORTS
redshift-agent      atlanhq/atlan-redshift-app:main-8f855a2abcd   "/app/entrypoint.sh"   redshift-agent      2 minutes ago       Up 2 minutes

The container status shows Up indicating it's running successfully.

Verify logs for the running container:
```
docker compose logs redshift-agent --tail=50 -f
```
Look for these key log messages that confirm successful deployment:
- Uvicorn running on http://0.0.0.0:8000 - Web server started
- Workflow engine initialized - Workflow processing ready
- dapr initialized. Status: Running - Dapr runtime active
- Starting worker with task queue: atlan-redshift-DEPLOYMENT_NAME - Worker process started
- GET /server/ready 200 - Health check endpoint responding

Verify via Atlan UI

Verify secure agent registration in Atlan:

Sign in to your Atlan tenant as an administrator (for example, https://tenant-name.atlan.com).
Navigate to Workflows > Agent.
Search for your deployment name.
Confirm the agent status shows as Active.

Agent registration and status takes a couple of minutes to reflect in Atlan UI

Next steps

Configure Secure Agent for workflow execution: Set up workflow execution settings and permissions for your deployed agent
Set up Amazon Redshift crawler: Create and configure a crawler to extract metadata from your Amazon Redshift data warehouse

Prerequisites​

Generate client credentials​

Prepare deployment environment​

Configure config.yaml​

Configure general settings​

Configure object storage​

Configure secret storage​

Deploy runtime​

Verify deployment​

Verify container​

Verify via Atlan UI​

Next steps​