Authentication model
The RDS Query component uses two distinct sets of credentials for different purposes:- Database authentication: Access to the RDS database itself is strictly managed via username and password (stored as a secret definition). IAM roles and AWS cloud credentials are not used for database authentication.
- Cloud credentials: These are used for cloud service interactions such as discovering RDS endpoints and staging data in cloud storage.
- If your agent runs in AWS, the component can use the agent’s Task Role (IAM role) to access Amazon S3 and AWS APIs.
- If the agent runs outside AWS, you must configure AWS cloud credentials linked to an IAM user and associate them with your environment.
- If staging data to another cloud storage platform (such as Azure Blob Storage or Google Cloud Storage), you must configure the appropriate cloud credentials for that platform.
- If using Matillion Full SaaS: The component will use the cloud credentials associated with your environment to access resources.
- If using Hybrid SaaS: By default the component will inherit the agent’s execution role (service account role). However, if there are cloud credentials associated to your environment, these will overwrite the role.
- If you’re using a Matillion Full SaaS solution, you may need to allow these IP address ranges from which Matillion Full SaaS agents will call out to their source systems or to cloud data platforms.
- Cloud credentials or IAM roles are used only for accessing cloud infrastructure services, not for authenticating to the RDS database.
Video example
Properties
Reference material is provided below for the Connect, Configure, Destination, and Advanced Settings properties.A human-readable name for the component.
Connect
Select the database type from:
- Aurora
- MariaDB
- Microsoft SQL Server
- MySQL
- Oracle
- PostgreSQL
Select an RDS database endpoint from the drop-down menu. By default, this property offers the user a list of all the RDS instances available within the user’s current region that are the same type as the selected database type. If the desired endpoint is located in a different region, or the user is not running on Amazon EC2 and therefore does not have a region, they can provide values manually. To acquire your database endpoint and provide it manually, follow these steps:
- Log in to the AWS Console.
- In the Find Services search bar, search for RDS.
- In the Amazon RDS navigation column on the left side of your screen, click Databases.
- Select a database.
- Locate the endpoint for that database in the Connectivity & security section.
Provide the name of the database within your RDS instance. In the AWS Console, this is the “DB identifier”.
The database-level username for the RDS instance.
Choose the secret definition that represents your credentials for this connector.If you have not already saved your credentials for this connector as a secret definition, click Add secret to create a secret definition representing these credentials. Read Secrets and secret definitions for details about creating a secret definition.
RDS Query doesn’t support IAM-based database authentication (for example, IAM authentication tokens). If the database requires password-based authentication and no password is provided, the component run will fail.
- Parameter: A JDBC parameter supported by the database driver. Consult the specific database documentation for more details.
- Value: A value for the given parameter.
Select an SSH Tunnel from the list of Network items. For detailed usage instructions, read the SSH Tunneling documentation.
If selected, the RDS Endpoint will be the data source that your secure tunnel connects to.
Configure
- Basic: This mode will build a query for you using settings from the Schema, Data Source, Data Selection, Data Source Filter, Combine Filters, and Limit parameters. In most cases, this mode will be sufficient.
- Advanced: This mode will require you to write an SQL-like query to call data from the service you’re connecting to. The available fields and their descriptions are documented in the documentation specific to the database product.
While the query is exposed in an SQL-like language, the exact semantics can be surprising, for example, filtering on a column can return more data than not filtering on it. This is an impossible scenario with regular SQL.
This is an SQL-like SELECT query, written in the SQL accepted by your cloud data warehouse. Treat collections as table names, and fields as columns. Only available in Advanced mode.For detailed information about tables and views for this connector, read the section about the data model, found below.
Select a single data source to be extracted from the source system and loaded into a table in the destination. The source system defines the data sources available. Use multiple components to load multiple data sources.For detailed information about tables and views for this connector, read the section about the data model, found below.
Choose one or more columns to return from the query. The columns available are dependent upon the data source selected. Move columns left-to-right to include in the query.To use grid variables, select the Use Grid Variable checkbox at the bottom of the Data Selection dialog.
Define one or more filter conditions that each row of data must meet to be included in the load.
- Input Column: Select an input column. The available input columns vary depending upon the data source.
- Qualifier:
- Is: Compares the column to the value using the comparator.
- Not: Reverses the effect of the comparison, so “Equals” becomes “Not equals”, “Less than” becomes “Greater than or equal to”, etc.
- Comparator: Choose a method of comparing the column to the value. Possible comparators include: “Equal to”, “Greater than”, “Less than”, “Greater than or equal to”, “Less than or equal to”, “Like”, “Null”. “Equal to” can match exact strings and numeric values, while other comparators, such as “Greater than” and “Less than”, will work only with numerics. The “Like” operator allows the wildcard character
%to be used at the start and end of a string value to match a column. The Null operator matches only null values, ignoring whatever the value is set to. Not all data sources support all comparators, meaning that it is likely that only a subset of the above comparators will be available to choose from. - Value: The value to be compared.
The data source filters you have defined can be combined using either And or Or logic. If And, then all filter conditions must be satisfied to load the data row. If Or, then only a single filter condition must be satisfied. The default is And.If you have only one filter, or no filters, this parameter is essentially ignored.
Set a numeric value to limit the number of rows that are loaded. The default is
100. To load all rows from your data source, delete the default 100 and leave the field empty (i.e. do not set a limit).Destination
Select your cloud data warehouse.- Snowflake
- Databricks
- Amazon Redshift
- Standard: The data will be staged in your storage location before being loaded into a table. This is the only setting currently available.
The Snowflake warehouse used to run the queries. The special value
[Environment Default] uses the warehouse defined in the environment. Read Overview of Warehouses to learn more.The Snowflake database. The special value
[Environment Default] uses the database defined in the environment. Read Databases, Tables and Views - Overview to learn more.The Snowflake schema. The special value
[Environment Default] uses the schema defined in the environment. Read Database, Schema, and Share DDL to learn more.The name of the table to be created in your Snowflake database. This table will be recreated and will drop any existing table of the same name.You can use a Table Input component in a transformation pipeline to access and transform this data after it has been loaded.
Select one or more columns to be designated as the table’s primary key.
Select a managed stage. The special value, [Custom], will create a stage “on the fly” for use solely within this component.
Choose where the data is staged before being loaded into your Snowflake table using the drop-down menu.
- Existing Amazon S3 Location: Activates the S3 Staging Area property, allowing users to specify a custom staging area on Amazon S3. The Stage Authentication property is also activated, letting users select a method of authenticating the data staging.
- Existing Azure Blob Storage Location: Activates the Storage Account and Blob Container properties, allowing users to specify a custom staging location on Azure. The Stage Authentication property is also activated, letting users select a method of authenticating the data staging.
- Existing Google Cloud Storage Location: Activates the Storage Integration and GCS Staging Area properties, allowing users to specify a custom staging area within Google Cloud Storage.
- Snowflake Managed: Create and use a temporary internal stage on Snowflake for staging the data. This stage, along with the staged data, will cease to exist after loading is complete. This is the default setting.
Select an authentication method for data staging. Only available when Stage Platform is set to either Existing Amazon S3 Location or Existing Azure Blob Storage Location.
- Credentials: Uses the credentials configured in the environment. If no credentials have been configured, an error will occur.
- Storage Integration: Use a Snowflake storage integration to authentication data staging.
Select a Snowflake storage integration from the drop-down list. Storage integrations are required to permit Snowflake to read data from and write to your cloud storage location and must be set up in advance of selection.
Select an S3 bucket for temporary storage. Ensure your access credentials have S3 access and permission to write to the bucket. The temporary objects created in this bucket will be removed again after the load completes.
Select a storage account with your desired blob container to be used for staging the data. For more information, read Storage account overview.
Select a Blob container to be used for staging the data. For more information, read Introduction to Azure Blob storage.
The URL and path of the target Google Cloud Storage bucket to be used for staging the queried data.
Advanced Settings
- Snowflake
- Databricks
- Amazon Redshift
- Clean Staged Files: Destroy staged files after loading data. Default is On.
- String Null is Null: Converts any strings equal to null into a null value. This is case-sensitive and only works with entirely lower-case strings. Default is Off.
- Recreate Target Table: Choose whether the component recreates its target table before the data load. If Off, the existing table will be used. Default is On.
- File Prefix: Give staged file names a prefix of your choice. Default is empty (no prefix).
- Trim String Columns: Remove leading and trailing characters from a string column. Default is On.
- Compression Type: Set the compression type to either gzip (default) or None.
Decide how the files are encrypted inside the S3 bucket. This property is available when using an existing Amazon S3 location for staging.
- None: No encryption.
- SSE KMS: Encrypt the data according to a key stored on KMS. Read AWS Key Management Service (AWS KMS) to learn more.
- SSE S3: Encrypt the data according to a key stored on an S3 bucket. Read Using server-side encryption with Amazon S3-managed encryption keys (SSE-S3) to learn more.
The ID of the KMS encryption key you have chosen to use in the Encryption property.
Choose whether to automatically log debug information about your load. These logs can be found in the task history and should be included in support requests concerning the component. Turning this on will override any debugging connection options.
The level of verbosity with which your debug information is logged. Levels above 1 can log huge amounts of data and result in slower execution. These logs can be found in the Message field of the task details after pipeline execution and should be included in support requests concerning the component.
- Will log the query, the number of rows returned by it, the start of execution and the time taken, and any errors.
- Will log everything included in Level 1, plus cache queries and additional information about the request, if applicable.
- Will additionally log the body of the request and the response.
- Will additionally log transport-level communication with the data source. This includes SSL negotiation.
- Will additionally log communication with the data source, as well as additional details that may be helpful in troubleshooting problems. This includes interface commands.