Setting up Amazon IAM Identity Center integration with Amazon Redshift - Amazon Redshift
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Setting up Amazon IAM Identity Center integration with Amazon Redshift

Your Amazon Redshift cluster administrator or Amazon Redshift Serverless administrator must perform several steps to configure Redshift as an Amazon IAM Identity Center enabled application. This makes it so Redshift can discover and connect to Amazon IAM Identity Center automatically to receive sign-in and user directory services. After this, when your Redshift administrator creates a cluster or workgroup, they can enable the new data warehouse to use Amazon IAM Identity Center to manage database access.

The point of enabling Redshift as an Amazon IAM Identity Center managed application is so you can control user and group permissions from within Amazon IAM Identity Center, or from a third-party identity provider that's integrated with it. When your database users sign in to a Redshift database, for example an analyst or a data scientist, it checks their groups in Amazon IAM Identity Center and these match up with role names in Redshift. In this manner, a group that defines the name for a Redshift database role can access a set of tables for sales analytics, for example. The sections that follow show how to set this up.

Prerequisites

These are the prerequisites for integrating Amazon IAM Identity Center with Amazon Redshift:

  • Account configuration – You must configure Amazon IAM Identity Center in your Amazon organization's management account if you plan to have cross-account use cases, or if you use Redshift clusters in different accounts with the same Amazon IAM Identity Center instance. This includes configuring your identity source. For more information, see Getting Started, workforce identities, and supported identity providers in the Amazon IAM Identity Center User Guide. You must ensure that you have created users or groups in Amazon IAM Identity Center, or synchronized users and groups from your identity source before you can assign them to data in Redshift.

    Note

    You have an option to use an account instance of Amazon IAM Identity Center, provided that Redshift and Amazon IAM Identity Center are in the same account. You can create this instance using a widget when you create and configure a Redshift cluster or workgroup.

  • Configuring a trusted token issuer – In some cases, you may need to use a trusted token issuer, which is an entity that can issue and verify trust tokens. Before you can do so, preliminary steps are required before the Redshift administrator who configures Amazon IAM Identity Center integration can select the trusted token issuer and add the necessary attributes to complete the configuration. This can include configuring an external identity provider to serve as a trusted token issuer and adding its attributes in the Amazon IAM Identity Center console. To complete these steps, see Using applications with a trusted token issuer.

    Note

    Setting up a trusted token issuer isn't required for all external connections. Connecting to your Redshift database with Amazon Redshift query editor v2 doesn't require trusted-token issuer configuration. But it can apply for third-party applications such as dashboards or custom applications that authenticate with your identity provider.

  • Configuring an IAM role or roles – The sections that follow mention permissions that must be configured. You will have to add permissions per IAM best practices. Specific permissions are detailed in the procedures that follow.

For more information, see Getting Started with Amazon IAM Identity Center.

Configuring your identity provider to work with Amazon IAM Identity Center

The first step in controlling user and group identity management is to connect to Amazon IAM Identity Center and configure your identity provider. You can use Amazon IAM Identity Center itself as your identity provider, or you can connect a third-party identity store, such as Okta, for instance. For more information about setting up the connection to and configuring your identity provider, see Connect to an external identity provider in the Amazon IAM Identity Center user guide. Make sure at the end of this process that you have a small collection of users and groups added to Amazon IAM Identity Center, for test purposes.

Administrative Permissions

Permissions required for Redshift/Amazon IAM Identity Center application lifecycle management

You must create an IAM identity, which a Redshift administrator uses to configure Redshift for use with Amazon IAM Identity Center. Most commonly, you would create an IAM role with permissions and assign it to other identities as required. It must have the permissions listed to perform the following actions.

Creating the Redshift/Amazon IAM Identity Center application

  • sso:PutApplicationAssignmentConfiguration – For security.

  • sso:CreateApplication – Used to create an Amazon IAM Identity Center application.

  • sso:PutApplicationAuthenticationMethod – Grants Redshift authentication access.

  • sso:PutApplicationGrant – Used to change the trusted token issuer information.

  • sso:PutApplicationAccessScope – For Redshift Amazon IAM Identity Center application setup. This includes for Amazon Lake Formation and for Amazon S3 Access Grants.

  • redshift:CreateRedshiftIdcApplication – Used to create the Redshift Amazon IAM Identity Center application.

Describing the Redshift/Amazon IAM Identity Center application

  • sso:GetApplicationGrant – Used to list trusted token issuer information.

  • sso:ListApplicationAccessScopes – For Redshift Amazon IAM Identity Center application setup to list downstream integrations, such as for Amazon Lake Formation and S3 Access Grants.

  • redshift:DescribeRedshiftIdcApplications – Used to describe existing Amazon IAM Identity Center applications.

Changing the Redshift/Amazon IAM Identity Center application

  • redshift:ModifyRedshiftIdcApplication – Used to change an existing Redshift application.

  • sso:UpdateApplication – Used to update an Amazon IAM Identity Center application.

  • sso:GetApplicationGrant – Gets the trust token issuer information.

  • sso:ListApplicationAccessScopes – For Redshift Amazon IAM Identity Center application setup.

  • sso:DeleteApplicationGrant – Deletes the trust token issuer information.

  • sso:PutApplicationGrant – Used to change the trusted token issuer information.

  • sso:PutApplicationAccessScope – For Redshift Amazon IAM Identity Center application setup. This includes for Amazon Lake Formation and for Amazon S3 Access Grants.

  • sso:DeleteApplicationAccessScope – For deleting Redshift Amazon IAM Identity Center application setup. This includes for Amazon Lake Formation and for Amazon S3 Access Grants.

Deleting the Redshift/AmazonIAM Identity Center application

  • sso:DeleteApplication – Used to delete an Amazon IAM Identity Center application.

  • redshift:DeleteRedshiftIdcApplication – Gives the ability to delete an existing Redshift Amazon IAM Identity Center application.

Permissions required for Redshift/query editor v2 application lifecycle management

You must create an IAM identity, which a Redshift administrator uses to configure Redshift for use with Amazon IAM Identity Center. Most commonly, you would create an IAM role with permissions and assign it to other identities as required. It must have the permissions listed to perform the following actions.

Creating the query editor v2 application

  • redshift:CreateQev2IdcApplication – Used to create the QEV2 application.

  • sso:CreateApplication – Gives the ability to create an Amazon IAM Identity Center application.

  • sso:PutApplicationAuthenticationMethod – Grants Redshift authentication access.

  • sso:PutApplicationGrant – Used to change the trusted token issuer information.

  • sso:PutApplicationAccessScope – For Redshift Amazon IAM Identity Center application setup. This includes query editor v2.

  • sso:PutApplicationAssignmentConfiguration – For security.

Describe the query editor v2 application

  • redshift:DescribeQev2IdcApplications – Used to describe the Amazon IAM Identity Center QEV2 application.

Change the query editor v2 application

  • redshift:ModifyQev2IdcApplication – Used to change the Amazon IAM Identity Center QEV2 application.

  • sso:UpdateApplication – Used to change the Amazon IAM Identity Center QEV2 application.

Delete the query editor v2 application

  • redshift:DeleteQev2IdcApplication – Used to delete the QEV2 application.

  • sso:DeleteApplication – Used to delete the QEV2 application.

Note

In the Amazon Redshift SDK, the following APIs aren’t available:

  • CreateQev2IdcApplication

  • DescribeQev2IdcApplications

  • ModifyQev2IdcApplication

  • DeleteQev2IdcApplication

These actions are specific to performing Amazon IAM Identity Center integration with Redshift QEV2 in the Amazon console. For more information, see Actions defined by Amazon Redshift.

Permissions required for the database administrator to connect new resources in the console

These permissions are required to connect new provisioned clusters or Amazon Redshift Serverless workgroups during the creation process. If you have these permissions, a selection appears in the console to choose to connect to the Amazon IAM Identity Center managed application for Redshift.

  • redshift:DescribeRedshiftIdcApplications

  • sso:ListApplicationAccessScopes

  • sso:GetApplicationAccessScope

  • sso:GetApplicationGrant

As a best practice, we recommend attaching permissions policies to an IAM role and then assigning it to users and groups as needed. For more information, see Identity and access management in Amazon Redshift.

Setting up Redshift as an Amazon managed application with Amazon IAM Identity Center

Before Amazon IAM Identity Center can manage identities for an Amazon Redshift provisioned cluster or an Amazon Redshift Serverless workgroup, the Redshift administrator must complete the steps to make Redshift an Amazon IAM Identity Center managed application:

  1. Select Amazon IAM Identity Center integration in the Amazon Redshift or Amazon Redshift Serverless console menu, and then select Connect to Amazon IAM Identity Center. From there you step through a series of selections to populate the properties for Amazon IAM Identity Center integration.

  2. Choose a display name and a unique name for Redshift's Amazon IAM Identity Center-managed application.

  3. Specify the namespace for your organization. This is typically an abbreviated version of your organization's name. It's added as a prefix for your Amazon IAM Identity Center-managed users and roles in the Redshift database.

  4. Select an IAM role to use. This IAM role should be separate from others used for Redshift, and we recommend that it isn't used for other purposes. The specific policy permissions required are the following:

    • sso:DescribeApplication – Required to create an identity provider (IdP) entry in the catalog.

    • sso:DescribeInstance – Used to manually create IdP federated roles or users.

  5. Configure client connections and trusted token issuers. Configuring trusted token issuers facilitates trusted identity propagation by setting up a relationship with an external identity provider. Identity propagation makes it possible for a user, for example, to sign into one application and access specific data in another application. This allows users to gather data from disparate locations more seamlessly. At this step, in the console, you set attributes for each trusted token issuer. The attributes include the name and the audience claim (or aud claim), which you might have to get from the tool's or service's configuration attributes. You might also need to supply the application name from the third-party tool's JSON Web Token (JWT).

    Note

    The aud claim required from each third-party tool or service can vary, based on the token type, which can be an access token issued by an identity provider, or another type, like an ID token. Each vendor can be different. When you’re implementing trusted-identity propagation and integrating with Redshift, it’s required to supply the correct aud value for the token type that the third-party tool sends to Amazon. Check the recommendations of your tool or service vendor.

    For detailed information regarding trusted-identity propagation, see How trusted identity propagation works. Also, refer to the beta documentation for Amazon IAM Identity Center that accompanies this documentation.

After the Redshift administrator finishes the steps and saves the configuration, the Amazon IAM Identity Center properties appear in the Redshift console. You can also query the system view SVV_IDENTITY_PROVIDERS to verify the application's properties. These include the application name and the namespace. You use the namespace as a prefix for Redshift database objects that are associated with the application. Completing these tasks makes Redshift an Amazon IAM Identity Center enabled application. The properties in the console include the integration status. It says Enabled when the integration is completed. After this process, Amazon IAM Identity Center integration can be enabled on each new cluster.

After configuration, you can include users and groups from Amazon IAM Identity Center in Redshift by choosing the Users or Groups tab and choosing Assign.

Enabling Amazon IAM Identity Center integration for a new Amazon Redshift cluster or Amazon Redshift Serverless workgroup

Your database administrator configures new Redshift resources to work in alignment with Amazon IAM Identity Center to make sign-in and data access easier. This is performed as part of the steps to create a provisioned cluster or a Serverless workgroup. Anyone with permissions to create Redshift resources can perform these Amazon IAM Identity Center integration tasks.When you create a provisioned cluster, you start by choosing Create Cluster in the Amazon Redshift console. The steps that follow show how to enable Amazon IAM Identity Center management for a database. (It doesn't include all of the steps to create a cluster.)

  1. Choose Enable for <your cluster name> in the section for IAM Identity Center integration in the create-cluster steps.

  2. There's a step in the process when you enable integration. You do this by choosing Enable IAM Identity Center integration in the console.

  3. For the new cluster or workgroup, create database roles in Redshift using SQL commands. The following is the command:

    CREATE ROLE <idcnamespace:rolename>;

    The namespace and role name are the following:

    • IAM Identity Center namespace prefix – This is the namespace you defined when you set up the connection between Amazon IAM Identity Center and Redshift.

    • Role name – This Redshift database role must match the group name in Amazon IAM Identity Center.

    Redshift connects with Amazon IAM Identity Center and fetches the information needed to create and map the database role to the Amazon IAM Identity Center group.

Note that when a new data warehouse is created, the IAM role specified for Amazon IAM Identity Center integration is automatically attached to the provisioned cluster or Amazon Redshift Serverless workgroup. After you finish entering the required cluster metadata and create the resource, you can check the status for Amazon IAM Identity Center integration in the properties. If your group names in Amazon IAM Identity Center have spaces, it's required to use quotes in SQL when you create the matching role.

After you enable the Redshift database and create roles, you are ready to connect to the database with Amazon Redshift query editor v2 or Amazon QuickSight. The details are explained further in sections that follow.

Setting up the default RedshiftIdcApplication using the API

Setup is performed by your identity administrator. Using the API, you create and populate a RedshiftIdcApplication, which represents the Redshift application within Amazon IAM Identity Center.

  1. To start, you can create users and add them to groups in Amazon IAM Identity Center. You do this in the Amazon console for Amazon IAM Identity Center.

  2. Call create-redshift-idc-application to create an Amazon IAM Identity Center application and make it compatible with Redshift usage. You create the application by populating the required values. The display name is the name to display on the Amazon IAM Identity Center dashboard. The IAM role ARN is an ARN that has permissions to Amazon IAM Identity Center and is also assumable by Redshift.

    aws redshift create-redshift-idc-application ––idc-instance-arn 'arn:aws:sso:::instance/ssoins-1234a01a1b12345d' ––identity-namespace 'MYCO' ––idc-display-name 'TEST-NEW-APPLICATION' ––iam-role-arn 'arn:aws:redshift:us-east-1:012345678901:role/TestRedshiftRole' ––redshift-idc-application-name 'myredshiftidcapplication'

    The following example shows a sample RedshiftIdcApplication response that's returned from the call to create-redshift-idc-application.

    "RedshiftIdcApplication": { "IdcInstanceArn": "arn:aws:sso:::instance/ssoins-1234a01a1b12345d", "RedshiftIdcApplicationName": "test-application-1", "RedshiftIdcApplicationArn": "arn:aws:redshift:us-east-1:012345678901:redshiftidcapplication:12aaa111-3ab2-3ab1-8e90-b2d72aea588b", "IdentityNamespace": "MYCO", "IdcDisplayName": "Redshift-Idc-Application", "IamRoleArn": "arn:aws:redshift:us-east-1:012345678901:role/TestRedshiftRole", "IdcManagedApplicationArn": "arn:aws:sso::012345678901:application/ssoins-1234a01a1b12345d/apl-12345678910", "IdcOnboardStatus": "arn:aws:redshift:us-east-1:123461817589:redshiftidcapplication", "RedshiftIdcApplicationArn": "Completed", "AuthorizedTokenIssuerList": [ "TrustedTokenIssuerArn": ..., "AuthorizedAudiencesList": [...]... ]}
  3. You can use create-application-assignment to assign particular groups or individual users to the managed application in Amazon IAM Identity Center. By doing this, you can specify groups to manage through Amazon IAM Identity Center. If the database administrator creates database roles in Redshift, group names in Amazon IAM Identity Center map to the role names in Redshift. The roles control permissions in the database. For more information, see Assign user access to applications in the Amazon IAM Identity Center console.

  4. After you enable the application, call create-cluster and include the Redshift managed application ARN from Amazon IAM Identity Center. Doing this associates the cluster with the managed application in Amazon IAM Identity Center.

Associating an Amazon IAM Identity Center application with an existing cluster or workgroup

If you have an existing cluster or workgroup that you would like to enable for Amazon IAM Identity Center integration, it is possible to do so, running SQL commands. You can also run SQL commands to change settings for the integration. For more information, see ALTER IDENTITY PROVIDER.

It's also possible to drop an existing identity provider. The following example shows how CASCADE deletes users and roles attached to the identity provider.

DROP IDENTITY PROVIDER <provider_name> [ CASCADE ]

Setting up user permissions

An administrator configures permissions to various resources, based on users' identity attributes and group memberships, within their identity provider or within Amazon IAM Identity Center directly.For example, the identity-provider administrator can add a database engineer to a group appropriate to their role. This group name maps to a Redshift database role name. The role provides or restricts access to specific tables or views in Redshift.