Trusted identity propagation use cases - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Trusted identity propagation use cases

As an IAM Identity Center administrator, you might be asked to help configure trusted identity propagation between the following initiating applications that support this capability and connected Amazon services. The following sections provide more information about the specific use cases supported by applications that can initiate trusted identity propagation.

Amazon EMR

You can use Amazon EMR as the initiating application for the following trusted identity propagation use cases.

Description Other Amazon services used Learn more

Run interactive analyses with Spark on Amazon EMR on Amazon EC2 clusters via Amazon EMR Studio. Apply access control based on workforce identities and associated attributes for Amazon Glue Catalog through Amazon Lake Formation and Amazon S3 Location through Amazon S3 Access Grants.

Amazon EMR on Amazon EC2 authorized through Amazon Lake Formation, Amazon S3 Access Grants, Amazon S3

Run adhoc analyses with Trino on Athena via Amazon EMR Studio. Apply access control based on workforce identities and associated attributes for Amazon Glue Catalog through Amazon Lake Formation and isolate query results location through Amazon S3 Access Grants.

Athena authorized through Amazon Lake Formation, Amazon S3 Access Grants

Amazon QuickSight

You can use Amazon QuickSight as the initiating application for the following trusted identity propagation use cases.

Description Other Amazon services used Learn more

Amazon QuickSight users can query Amazon Redshift data. Data access is granted in Amazon Redshift by an Amazon Redshift administrator.

Amazon Redshift

Amazon QuickSight can query Amazon Redshift Spectrum for structured data in Amazon S3, with access that is authorized by an Amazon Lake Formation administrator.

Amazon Redshift, Amazon S3 structured data

*Through Amazon Redshift Spectrum authorized through Amazon Lake Formation

Amazon QuickSight can query Amazon Redshift datashares for structured data in Amazon S3, with access that is authorized by an Amazon Lake Formation administrator.

Amazon Redshift datashares, Amazon S3 structured data

*Authorized through Amazon Lake Formation

Amazon Redshift Query Editor v2

You can use Amazon Redshift Query Editor v2 as the initiating application for the following trusted identity propagation use cases.

Description Other Amazon services used Learn more

Amazon Web Services Management Console users can use Amazon Redshift Query Editor v2 to query Amazon Redshift for data, with access that is authorized by an Amazon Redshift administrator.

Amazon Redshift

Amazon Web Services Management Console users can use Amazon Redshift Query Editor v2 to query Amazon Redshift Spectrum for structured data in Amazon S3, with access that is authorized by an Amazon Lake Formation administrator.

Amazon Redshift, Amazon S3 structured data

*Through Amazon Redshift Spectrum authorized through Amazon Lake Formation

Amazon Web Services Management Console users can use Amazon Redshift Query Editor v2 to query Amazon Redshift datashares for structured data in Amazon S3, with access that is authorized by an Amazon Lake Formation administrator.

Amazon Redshift datashares, Amazon S3 structured data

*Authorized through Amazon Lake Formation

Third-party business intelligence applications

You can use a third-party business intelligence application such as Tableau, as the initiating application for specific trusted identity propagation use cases. Modified third-party business intelligence applications can pass the Amazon Redshift driver the identity of a user through OAuth identity tokens or access tokens, to query Amazon Redshift for data, with access that is authorized by an Amazon Redshift administrator.

Custom-developed applications

You can use your own custom-developed applications as an initiating application for the following trusted identity propagation use cases.

Description Other Amazon services used Learn more

Create an application that authenticates users through an OIDC authorization server, then use Amazon IAM Identity Center and IAM to obtain an identity-enhanced IAM role credential. This credential is used to request access to unstructured data in Amazon S3, with access that is authorized by an Amazon S3 Access Grants administrator.

Amazon IAM Identity Center, Amazon S3 unstructured data

*Authorized through Amazon S3 Access Grants