Add a Redshift Source Datastore
A source datastore is a storage location Qualytics connects to so it can profile, scan, and monitor data. Adding Redshift as a source lets Qualytics read tables through the Redshift JDBC driver and run quality operations on the data they contain.
Redshift can also be used as an enrichment datastore for any source. See Link Enrichment Datastore.
Before you start, review the Redshift Permissions and the available Authentication methods.
This page covers two ways to add a Redshift source datastore: using a new connection or reusing a saved one. Both flows share the same form fields. Use the tabs in Field reference below to pick the flow that matches your situation. If this is your first Redshift datastore in Qualytics, use the New Connection tab.
For the generic step-by-step walkthrough of the Add Source Datastore modal (open it, toggle the connection mode, test, finish), see Add Source Datastore. The fields described below apply to the Redshift-specific portion of that flow.
Field reference
The Add Source Datastore form changes depending on whether you create a new connection or reuse a saved one. Pick the tab below that matches your flow.
When Add New Connection is toggled ON, the form shows five groups of fields: Connection Properties, Authentication, Secrets Management (optional Vault integration), Datastores Extraction, and Datastore Properties.
Connection Properties
These fields define the Redshift cluster endpoint Qualytics connects to.
| REF. | FIELD | REQUIRED | DESCRIPTION |
|---|---|---|---|
| 1 | Connection Name | Yes | A label for the saved connection (e.g., acme_redshift_warehouse). Appears in the Connection dropdown when you create future datastores. |
| 2 | Host | Yes | The Redshift cluster endpoint hostname (e.g., acme-cluster.123456789012.us-east-1.redshift.amazonaws.com). |
| 3 | Port | Yes | The Redshift port. Defaults to 5439. |
| 4 | Type | Yes | Authentication mode. Choose between Password (default) and IAM Role. Sets which credential fields appear in the Authentication group below. |
Authentication
Choose how Qualytics authenticates to Redshift. Setting Type changes the credential fields shown below it.
The default mode. Supply a Redshift database user that has the grants listed in Permissions.
| REF. | FIELD | REQUIRED | DESCRIPTION |
|---|---|---|---|
| 1 | Type | Yes | Set to Password. |
| 2 | User | Yes | The Redshift database user Qualytics will connect as. |
| 3 | Password | Yes | The password associated with the Redshift user account. |
AWS-only
The IAM Role option in Type is shown only on AWS and local Qualytics deployments. On Azure and GCP deployments, only Password authentication is available.
Assume an IAM role in your AWS account through AWS STS. Qualytics uses short-lived database credentials that refresh automatically. See Authentication for the assume-role flow walkthrough.
| REF. | FIELD | REQUIRED | DESCRIPTION |
|---|---|---|---|
| 1 | Type | Yes | Set to IAM Role. |
| 2 | Role ARN | Yes | The IAM role ARN Qualytics will assume through AWS STS. |
| 3 | External ID | No | Include only if your role's trust policy requires one. |
Secrets Management (optional)
Use this group only if you want Qualytics to pull credentials from HashiCorp Vault instead of typing them into the form. Toggle HashiCorp Vault ON to expose the fields below.
| REF. | FIELD | REQUIRED | DESCRIPTION |
|---|---|---|---|
| 1 | Login URL | Yes | The Vault endpoint Qualytics uses to authenticate (e.g., https://vault.example.com/v1/auth/approle/login). |
| 2 | Credentials Payload | Yes | A JSON body containing the credentials Vault expects (e.g., {"role_id":"...","secret_id":"..."}). |
| 3 | Token JSONPath | Yes | The JSONPath that extracts the client token from Vault's response. Defaults to $.auth.client_token. |
| 4 | Secret URL | Yes | The Vault path where the secret is stored (e.g., https://vault.example.com/v1/secret/data/redshift). |
| 5 | Token Header Name | Yes | The HTTP header name used to send the token. Defaults to X-Vault-Token. |
| 6 | Data JSONPath | Yes | The JSONPath that extracts the secret payload from Vault's response. Defaults to $.data. |
Note
Once Vault is configured, reference any secret value in the Connection Properties or Authentication fields using ${key} (e.g., ${password}). Qualytics resolves the secret at the moment the connection is opened, so updated keys take effect on the next connection.
Datastores Extraction
Pick the database and schema Qualytics should read from.
| REF. | FIELD | REQUIRED | DESCRIPTION |
|---|---|---|---|
| 1 | Database | Yes | The Redshift database name Qualytics will connect to. |
| 2 | Schema | Yes | The schema inside the database that contains the tables to profile and scan. |
Datastore Properties
Common fields for every source datastore, visible below the Datastores Extraction section in the same form.
| REF. | FIELD | REQUIRED | DESCRIPTION |
|---|---|---|---|
| 1 | Name Template | No | Defines the naming pattern for the source datastore being created. Use {{ schema }} as a placeholder that gets replaced with the actual schema name (e.g., redshift_{{ schema }} becomes redshift_public). |
| 2 | Group | No | Organizes your datastores under a shared group in the navigation tree. Select an existing group or create a new one with the Add New Group toggle. |
| 3 | Teams | Yes | Select one or more teams to associate with this source datastore. |
| 4 | Initiate Sync | No | Automatically sync the datastore to detect containers and fields after creation. |
| 5 | Connection Info | No | Read-only banner that shows the IP address the Qualytics dataplane uses to reach your Redshift endpoint. Allowlist this IP in your Redshift cluster's security group inbound rules so the dataplane can connect. |
When Add New Connection is toggled OFF and you pick a saved Redshift connection, the Connection Properties, Authentication, and Secrets Management sections are collapsed and read-only. Qualytics has already validated those credentials, so there is nothing for you to fill in. You only fill in the Datastores Extraction and Datastore Properties below.
To change a saved connection's credentials, edit the connection itself from Settings > Connections. Edits there apply to every datastore that reuses the connection.
Datastores Extraction
| REF. | FIELD | REQUIRED | DESCRIPTION |
|---|---|---|---|
| 1 | Database | Yes | The Redshift database name Qualytics will connect to. |
| 2 | Schema | Yes | The schema inside the database that contains the tables to profile and scan. |
Datastore Properties
| REF. | FIELD | REQUIRED | DESCRIPTION |
|---|---|---|---|
| 1 | Name Template | No | Defines the naming pattern for the source datastore being created. |
| 2 | Group | No | Organizes your datastores under a shared group in the navigation tree. |
| 3 | Teams | Yes | Select one or more teams to associate with this source datastore. |
| 4 | Initiate Sync | No | Automatically sync the datastore after creation. |
| 5 | Connection Info | No | Read-only banner that shows the IP address the Qualytics dataplane uses to reach your Redshift endpoint. Allowlist this IP in your Redshift cluster's security group inbound rules so the dataplane can connect. |