Connect Redshift with Amazon IAM Identity Center for a single sign-on experience - Amazon Redshift
Benefits of Redshift integration with Amazon IAM Identity CenterAdministrator personas for connecting applicationsConnecting to Amazon Redshift with Amazon IAM Identity Center through Amazon QuickSightConnecting to Amazon Redshift through Amazon Redshift query editor v2Limitations
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Connect Redshift with Amazon IAM Identity Center for a single sign-on experience

You can manage user and group access to Amazon Redshift data warehouses through trusted-identity propagation.

Trusted identity propagation is an Amazon IAM Identity Center feature that administrators of connected Amazon Web Services services can use to grant and audit access to service data. Access to this data is based on user attributes such as group associations. Setting up trusted identity propagation requires collaboration between the administrators of connected Amazon Web Services services and the IAM Identity Center administrators. For more information, see Prerequisites and considerations.

To illustrate one end-to-end case, you can use an Amazon QuickSight dashboard or Amazon Redshift query editor v2 to access Redshift. Access in this case is based on Amazon IAM Identity Center groups. Redshift can determine who a user is and their group memberships. Amazon IAM Identity Center also makes it possible to connect and manage identities through a third-party identity provider (IdP) like Okta or PingOne.

After your administrator sets up the connection between Redshift and Amazon IAM Identity Center, they can configure fine-grained access based on identity-provider groups to authorize user access to data.

Important

When you delete a user from an Amazon IAM Identity Center or a connected identity provider (IdP) directory, the user is not automatically deleted from the Amazon Redshift catalog. To manually delete the user from the Amazon Redshift catalog, run the DROP USER command to fully delete the user that was removed from an Amazon IAM Identity Center or IdP. For more information about how to drop a user, see DROP USER in the Amazon Redshift Database Developer Guide.

Benefits of Redshift integration with Amazon IAM Identity Center

Using Amazon IAM Identity Center with Redshift can benefit your organization in the following ways:

  • Dashboard authors in Amazon QuickSight can connect to Redshift data sources without having to re-enter passwords or requiring an administrator to set up IAM roles with complex permissions.

  • Amazon IAM Identity Center provides a central location for your workforce users in Amazon. You can create users and groups directly in Amazon IAM Identity Center or connect existing users and groups that you manage in a standards-based identity provider like Okta, PingOne, or Microsoft Entra ID (Azure AD). Amazon IAM Identity Center directs authentication to your chosen source of truth for users and groups, and it maintains a directory of users and groups for access by Redshift. For more information, see Manage your identity source and Supported identity providers in the Amazon IAM Identity Center User Guide.

  • You can share one Amazon IAM Identity Center instance with multiple Redshift clusters and workgroups with a simple auto-discovery and connect capability. This makes it fast to add clusters without the extra effort of configuring the Amazon IAM Identity Center connection for each, and it ensures that all clusters and workgroups have a consistent view of users, their attributes, and groups. Note that your organization's Amazon IAM Identity Center instance must be in the same region as any Redshift datashares you're connecting to.

  • Because user identities are known and logged along with data access, it's easier for you to meet compliance regulations through auditing user access in Amazon CloudTrail.

Administrator personas for connecting applications

The following are personas that are key to connecting analytics applications to the Amazon IAM Identity Center managed application for Redshift:

  • Application administrator – Creates an application and configures which services it will enable identity-token exchanges with. This administrator also specifies which users or groups have access to the application.

  • Data administrator – Configures fine-grained access to data. Users and groups in Amazon IAM Identity Center can map to specific permissions.

Connecting to Amazon Redshift with Amazon IAM Identity Center through Amazon QuickSight

The following shows how to use QuickSight to authenticate with Redshift when it's connected to and access is managed through Amazon IAM Identity Center: Authorizing connections from QuickSight to Amazon Redshift clusters. These steps apply to Amazon Redshift Serverless too.

Connecting to Amazon Redshift with Amazon IAM Identity Center through Amazon Redshift query editor v2

Upon completing the steps to set up an Amazon IAM Identity Center connection with Redshift, the user can access the database and appropriate objects in the database through their Amazon IAM Identity Center-based, namespace-prefixed identity. For more information about connecting to Redshift databases with query editor v2 sign-in, see Working with query editor v2.

Limitations for connecting to Amazon Redshift with Amazon IAM Identity Center

When using Amazon IAM Identity Center single sign-on, consider the following limitation:

  • No support for enhanced VPC – Enhanced VPC isn't supported when you use Amazon IAM Identity Center single sign-on for Amazon Redshift. For more information about enhanced VPC, see Enhanced VPC routing in Amazon Redshift.