Connect Redshift with Amazon IAM Identity Center for a single sign-on experience
You can manage user and group access to Amazon Redshift data warehouses through trusted-identity propagation. This works through a connection between Redshift and Amazon IAM Identity Center, which gives your users a single sign-on experience. This makes it so you can bring in users and groups from your directory and assign permissions directly to them. Subsequently, this connection supports tying in additional tools and services. To illustrate one end-to-end case, you can use an Amazon QuickSight dashboard or Amazon Redshift query editor v2 to access Redshift. Access in this case is based on Amazon IAM Identity Center groups. Redshift can determine who a user is and their group memberships. Amazon IAM Identity Center also makes it possible to connect and manage identities through a third-party identity provider (IdP) like Okta or PingOne.
After your administrator sets up the connection between Redshift and Amazon IAM Identity Center, they can configure fine-grained access based on identity-provider groups to authorize user access to data.
Important
When you delete a user from an Amazon IAM Identity Center or a connected identity provider (IdP)
directory, the user is not automatically deleted from the Amazon Redshift catalog.
To manually delete the user from the Amazon Redshift catalog, run the DROP USER
command to
fully delete the user that was removed from an Amazon IAM Identity Center or IdP. For more information
about how to drop a user, see DROP USER in the
Amazon Redshift Database Developer Guide.
The benefits of Redshift integration with Amazon IAM Identity Center
Using Amazon IAM Identity Center with Redshift can benefit your organization in the following ways:
-
Dashboard authors in Amazon QuickSight can connect to Redshift data sources without having to re-enter passwords or requiring an administrator to set up IAM roles with complex permissions.
-
Amazon IAM Identity Center provides a central location for your workforce users in Amazon. You can create users and groups directly in Amazon IAM Identity Center or connect existing users and groups that you manage in a standards-based identity provider like Okta, PingOne, or Microsoft Entra ID (Azure AD). Amazon IAM Identity Center directs authentication to your chosen source of truth for users and groups, and it maintains a directory of users and groups for access by Redshift. For more information, see Manage your identity source and Supported identity providers in the Amazon IAM Identity Center User Guide.
-
You can share one Amazon IAM Identity Center instance with multiple Redshift clusters and workgroups with a simple auto-discovery and connect capability. This makes it fast to add clusters without the extra effort of configuring the Amazon IAM Identity Center connection for each, and it ensures that all clusters and workgroups have a consistent view of users, their attributes, and groups. Note that your organization's Amazon IAM Identity Center instance must be in the same region as any Redshift datashares you're connecting to.
-
Because user identities are known and logged along with data access, it's easier for you to meet compliance regulations through auditing user access in Amazon CloudTrail.
Administrator personas for connecting applications
The following are personas that are key to connecting analytics applications to the Amazon IAM Identity Center managed application for Redshift:
-
Application administrator – Creates an application and configures which services it will enable identity-token exchanges with. This administrator also specifies which users or groups have access to the application.
-
Data administrator – Configures fine-grained access to data. Users and groups in Amazon IAM Identity Center can map to specific permissions.
Connecting to Amazon Redshift with Amazon IAM Identity Center through Amazon QuickSight
The following shows how to use Amazon QuickSight to authenticate with Redshift when it's connected to and access is managed through Amazon IAM Identity Center: Authorizing connections from Amazon QuickSight to Amazon Redshift clusters. These steps apply to Amazon Redshift Serverless too.
Connecting to Amazon Redshift with Amazon IAM Identity Center through Amazon Redshift query editor v2
Upon completing the steps to set up an Amazon IAM Identity Center connection with Redshift, the user can access the database and appropriate objects in the database through their Amazon IAM Identity Center-based, namespace-prefixed identity. For more information about connecting to Redshift databases with query editor v2 sign-in, see Working with query editor v2.