Use Identity Provider Authentication for Amazon Redshift Data Federation Connection
Add an identity provider (IdP) and create the necessary policies in AWS to use IdP-based authentication when connecting to a Redshift database using Amazon Redshift Data Federation Connection.
User Permissions Needed | |
---|---|
To create an Amazon Redshift Federation connection in Data Cloud | System Admin |
Before you begin be sure to set up your connection and get the generated External Id.
-
Add an identity provider for Salesforce in AWS.
-
In the navigation pane of IAM, choose Identity providers, and then choose Add provider.
-
For Configure provider, choose OpenID Connect.
-
Enter the My Domain URL details for the provider URL and audience.
IdP Details in AWS Management Console URL Format Example Provider URL My Domain URL/services/connectors https://dlt0000007luz2am-dev-ed.develop.test1.my.pc-rnd.salesforce.com/services/connectors Audience My Domain URL https://dlt0000007luz2am-dev-ed.develop.test1.my.pc-rnd.salesforce.com To find the My Domain URL of your org, go to Setup, click Settings, and then Company Settings. Click My Domain to find your Current My Domain URL. For more information, see My Domain.
-
Verify the information you provided and choose Add provider.
IAM attempts to retrieve and use the top intermediate CA thumbprint of the OIDC IdP server certificate to create the IAM OIDC identity provider.
-
-
Create the necessary roles in AWS for the Data Cloud Redshift connector to connect to Redshift. See Creating a role using custom trust policies (console).
-
Associate a permission policy to the role.
Sample permission policy for Redshift Cluster.
Sample permission policy for Redshift Workgroup (Serverless)
-
Associate a trust policy to the role using the External ID obtained when you set up the connection.
Sample trust policy
-
Get the Amazon Resource Name (ARN) of the role and use it as the IAM Role Name when setting up Amazon Redshift Data Federation Connection.
-
If you are setting up a role for Redshift Workgroup (serverless), make sure your role is part of the pg_user list.
To check if your role is part of the list, run the command
select * from pg_user;
. If the role is'nt part of the list, run the command,create user IAMR:<username> password DISABLE;
and create the db user with the same role name. -
If you’re setting up a role for Redshift Workgroup (serverless), grant read permissions on the schema with these statements.