Use Identity Provider Authentication for Amazon Redshift Data Federation Connection

Add an identity provider (IdP) and create the necessary policies in AWS to use IdP-based authentication when connecting to a Redshift database using Amazon Redshift Data Federation Connection.

User Permissions Needed 
To create an Amazon Redshift Federation connection in Data CloudSystem Admin

Before you begin be sure to set up your connection and get the generated External Id.

  1. Add an identity provider for Salesforce in AWS.

    1. In the navigation pane of IAM, choose Identity providers, and then choose Add provider.

    2. For Configure provider, choose OpenID Connect.

    3. Enter the My Domain URL details for the provider URL and audience.

      IdP Details in AWS Management ConsoleURL FormatExample
      Provider URLMy Domain URL/services/connectorshttps://dlt0000007luz2am-dev-ed.develop.test1.my.pc-rnd.salesforce.com/services/connectors
      AudienceMy Domain URLhttps://dlt0000007luz2am-dev-ed.develop.test1.my.pc-rnd.salesforce.com

      To find the My Domain URL of your org, go to Setup, click Settings, and then Company Settings. Click My Domain to find your Current My Domain URL. For more information, see My Domain.

    4. Verify the information you provided and choose Add provider.

      IAM attempts to retrieve and use the top intermediate CA thumbprint of the OIDC IdP server certificate to create the IAM OIDC identity provider.

  2. Create the necessary roles in AWS for the Data Cloud Redshift connector to connect to Redshift. See Creating a role using custom trust policies (console).

  3. Associate a permission policy to the role.

    Sample permission policy for Redshift Cluster.

    Sample permission policy for Redshift Workgroup (Serverless)

  4. Associate a trust policy to the role using the External ID obtained when you set up the connection.

    Sample trust policy

  5. Get the Amazon Resource Name (ARN) of the role and use it as the IAM Role Name when setting up Amazon Redshift Data Federation Connection.

  6. If you are setting up a role for Redshift Workgroup (serverless), make sure your role is part of the pg_user list.

    To check if your role is part of the list, run ‌the command select * from pg_user;. If the role is'nt part of the list, run the command, create user IAMR:<username> password DISABLE; and create the db user with the same role name.

  7. If you’re setting up a role for Redshift Workgroup (serverless), grant read permissions on the schema with these statements.