Trusted identity propagation use cases - Amazon IAM Identity Center
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Trusted identity propagation use cases

As an IAM Identity Center administrator, you might be asked to help configure trusted identity propagation between the following initiating applications that support this capability and connected Amazon services. The following sections provide more information about the specific use cases supported by applications that can initiate trusted identity propagation.

Amazon EMR

You can use Amazon EMR as the initiating application for the following trusted identity propagation use cases.

Description Other Amazon services used Learn more

Run interactive analyses with Apache Spark on Amazon EMR on Amazon EC2 clusters through Amazon EMR Studio. Apply access control based on workforce identities and associated attributes for Amazon Glue Catalog through Amazon Lake Formation.

Amazon EMR on Amazon EC2 authorized through Amazon Lake Formation, Amazon S3 Access Grants, Amazon S3, Amazon Service Catalog

Note
  • Requires access through Amazon EMR Studio.

  • Table-level access control only.

  • Apache Hive, PrestoSQL/Trino, and EMR Serverless are not supported.

Run adhoc analyses with Trino on Athena through Amazon EMR Studio. Apply access control based on workforce identities and associated attributes for Amazon Glue Catalog through Amazon Lake Formation. Secure access to an Athena query result bucket location in Amazon S3 by using Amazon S3 Access Grants.

Athena authorized through Amazon Lake Formation, Amazon S3 Access Grants

Note

Requires access through Amazon EMR Studio. Direct access from the Amazon Athena console is not supported.

Amazon QuickSight

You can use Amazon QuickSight as the initiating application for the following trusted identity propagation use cases.

Description Other Amazon services used Learn more

Amazon QuickSight users can query Amazon Redshift data. Data access is granted in Amazon Redshift by an Amazon Redshift administrator.

Amazon Redshift

Amazon QuickSight users can query Amazon Redshift Spectrum for structured data in Amazon S3, with access that is authorized by an Amazon Lake Formation administrator.

Amazon Redshift Spectrum, Amazon S3 structured data

*Through Amazon Redshift Spectrum authorized through Amazon Lake Formation

Amazon QuickSight users can query Amazon Redshift datashares for structured data in Amazon S3, with access that is authorized by an Amazon Lake Formation administrator.

Amazon Redshift datashares, Amazon S3 structured data

*Through Amazon Redshift authorized through Amazon Lake Formation

Amazon Redshift query editor v2

You can use Amazon Redshift query editor v2 as the initiating application for the following trusted identity propagation use cases.

Description Other Amazon services used Learn more

Amazon Redshift query editor v2 users can query Amazon Redshift data. Data access is granted in Amazon Redshift by an Amazon Redshift administrator.

Amazon Redshift

Amazon Redshift query editor v2 users can query Amazon Redshift Spectrum external tables for structured data in Amazon S3, with access that is authorized by an Amazon Lake Formation administrator.

Amazon Redshift Spectrum, Amazon S3 structured data

*Through Amazon Redshift Spectrum authorized through Amazon Lake Formation

Amazon Redshift query editor v2 users can query Amazon Redshift datashares with access that is authorized by an Amazon Lake Formation administrator.

Amazon Redshift datashares, Amazon Lake Formation

Third-party business intelligence applications

You can use a third-party business intelligence application such as Tableau, as the initiating application for specific trusted identity propagation use cases. Modified third-party business intelligence applications can pass the Amazon Redshift driver the identity of a user through OAuth identity tokens or access tokens, to query Amazon Redshift for data, with access that is authorized by an Amazon Redshift administrator.

Tableau

You can use Tableau Desktop, Tableau Server, and Tableau Prep as the initiating applications for the following trusted identity propagation use cases.

Description Other Amazon services used Learn more

Tableau users can query Amazon Redshift data. Data access is granted in Amazon Redshift by an Amazon Redshift administrator.

Amazon Redshift

Tableau users can query Amazon Redshift Spectrum external tables for structured data in Amazon S3, with access control based on workforce identities and associated attributes for Amazon Glue Data Catalog through Amazon Lake Formation.

Amazon Redshift Spectrum, Amazon S3 structured data

*Through Amazon Redshift Spectrum authorized via Amazon Lake Formation

Tableau users can query Amazon Redshift datashares with access control based on workforce identities and associated attributes for Amazon Glue Data Catalog through Amazon Lake Formation.

Amazon Redshift datashares, Amazon Lake Formation

Custom-developed applications

You can use your own custom-developed applications as an initiating application for the following trusted identity propagation use cases.

Description Other Amazon services used Learn more

Create an application that authenticates users through an OAuth authorization server, then use Amazon IAM Identity Center and IAM to obtain an identity-enhanced IAM role credential. This credential is used to request access to unstructured data in Amazon S3, with access that is authorized by an Amazon S3 Access Grants administrator.

Amazon IAM Identity Center, Amazon S3 unstructured data

*Authorized through Amazon S3 Access Grants

Build a custom application that interacts with Amazon Q Business to respond to user questions based on your own content and the user's permissions.

IAM Identity Center, Amazon Q Business