Amazon Redshift will no longer support the creation of new Python UDFs starting Patch 198. Existing Python UDFs will continue to function until June 30, 2026. For more information, see the [ blog post ](https://aws.amazon.com/blogs/big-data/amazon-redshift-python-user-defined-functions-will-reach-end-of-support-after-june-30-2026/).
# Identity and access management in Amazon Redshift
Access to Amazon Redshift requires credentials that AWS can use to authenticate your requests. Those credentials must have permissions to access AWS resources, such as an Amazon Redshift cluster. The following sections provide details on how you can use [AWS Identity and Access Management (IAM)](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) and Amazon Redshift to help secure your resources by controlling who can access them:
+ [Authentication with identities](#security_iam_authentication)
+ [Access control](#redshift-iam-accesscontrol)
**Important**
This topic contains a collection of best practices for managing permissions, identities and secure access. We recommend that you get familiar with best practices for using IAM with Amazon Redshift. These include using IAM roles for applying permissions. Having a good understanding of these sections will help you maintain a more secure Amazon Redshift data warehouse.
## Authentication with identities
Authentication is how you sign in to AWS using your identity credentials. You must be authenticated as the AWS account root user, an IAM user, or by assuming an IAM role.
You can sign in as a federated identity using credentials from an identity source like AWS IAM Identity Center (IAM Identity Center), single sign-on authentication, or Google/Facebook credentials. For more information about signing in, see [How to sign in to your AWS account](https://docs.aws.amazon.com/signin/latest/userguide/how-to-sign-in.html) in the *AWS Sign-In User Guide*.
For programmatic access, AWS provides an SDK and CLI to cryptographically sign requests. For more information, see [AWS Signature Version 4 for API requests](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html) in the *IAM User Guide*.
### AWS account root user
When you create an AWS account, you begin with one sign-in identity called the AWS account *root user* that has complete access to all AWS services and resources. We strongly recommend that you don't use the root user for everyday tasks. For tasks that require root user credentials, see [Tasks that require root user credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks) in the *IAM User Guide*.
### IAM users and groups
An *[IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html)* is an identity with specific permissions for a single person or application. We recommend using temporary credentials instead of IAM users with long-term credentials. For more information, see [Require human users to use federation with an identity provider to access AWS using temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp) in the *IAM User Guide*.
An [https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html) specifies a collection of IAM users and makes permissions easier to manage for large sets of users. For more information, see [Use cases for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/gs-identities-iam-users.html) in the *IAM User Guide*.
### IAM roles
An *[IAM role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)* is an identity with specific permissions that provides temporary credentials. You can assume a role by [switching from a user to an IAM role (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-console.html) or by calling an AWS CLI or AWS API operation. For more information, see [Methods to assume a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage-assume.html) in the *IAM User Guide*.
IAM roles are useful for federated user access, temporary IAM user permissions, cross-account access, cross-service access, and applications running on Amazon EC2. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the *IAM User Guide*.
**Note**
Forward access sessions (FAS) in Redshift are valid for 12 hours only. After this period, any connection session using FAS to integrate with other services must be re-established.
# Cross-service confused deputy prevention
The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. In AWS, cross-service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service (the *calling service*) calls another service (the *called service*). The calling service can be manipulated to use its permissions to act on another customer's resources in a way it should not otherwise have permission to access. To prevent this, AWS provides tools that help you protect your data for all services with service principals that have been given access to resources in your account. For more information, see [Cross-service confused deputy prevention](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html#cross-service-confused-deputy-prevention) in the *IAM User Guide*.
We recommend using the [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) and [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) global condition context keys in resource-based policies to limit the permissions that Amazon Redshift gives another service to the resource. If the `aws:SourceArn` value doesn't contain the account ID, such as an Amazon S3 bucket ARN, you must use both global condition context keys to limit permissions. If you use both global condition context keys and the `aws:SourceArn` value contains the account ID, the `aws:SourceAccount` value and the account in the `aws:SourceArn` value must use the same account ID when used in the same policy statement.
The following example shows a policy that you can apply to limit the confused deputy problem for Amazon Redshift.
```
{
"Version": "2012-10-17",
"Statement": {
"Sid": "ConfusedDeputyPreventionForRedshift",
"Effect": "Allow",
"Principal": {
"Service": "redshift.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:redshift:us-east-1:123456789012:cluster:my-cluster"
},
"StringEquals": {
"aws:SourceAccount": "123456789012"
}
}
}
}
```
The following example shows a policy for Amazon Redshift Serverless.
```
{
"Version": "2012-10-17",
"Statement": {
"Sid": "ConfusedDeputyPreventionForRedshiftServerless",
"Effect": "Allow",
"Principal": {
"Service": "redshift-serverless.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:redshift-serverless:us-east-1:123456789012:workgroup/my-workgroup"
},
"StringEquals": {
"aws:SourceAccount": "123456789012"
}
}
}
}
```
## Access control
You can have valid credentials to authenticate your requests, but unless you have permissions you cannot create or access Amazon Redshift resources. For example, you must have permissions to create an Amazon Redshift cluster, create a snapshot, add an event subscription, and so on.
The following sections describe how to manage permissions for Amazon Redshift. We recommend that you read the overview first.
+ [Overview of managing access permissions to your Amazon Redshift resources](redshift-iam-access-control-overview.md)
+ [Using identity-based policies (IAM policies) for Amazon Redshift](redshift-iam-access-control-identity-based.md)
# Overview of managing access permissions to your Amazon Redshift resources
Every AWS resource is owned by an AWS account, and permissions to create or access the resources are governed by permissions policies. An account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles), and some services (such as AWS Lambda) also support attaching permissions policies to resources.
**Note**
An *account administrator* (or administrator user) is a user with administrator privileges. For more information, see [IAM best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
When granting permissions, you decide who is getting the permissions, which resources they get permissions for, and the specific actions that you want to allow on those resources.
## Amazon Redshift resources and operations
Amazon Redshift provides service-specific resources, actions, and condition context keys for use in IAM permission policies.
### Amazon Redshift, Amazon Redshift Serverless, Amazon Redshift Data API, and Amazon Redshift query editor v2 access permissions
When you set up [Access control](redshift-iam-authentication-access-control.md#redshift-iam-accesscontrol), you write permission policies that you can attach to an IAM identity (identity-based policies). For detailed reference information, see the following topics in the *Service Authorization Reference*:
+ For Amazon Redshift, see [Actions, resources, and condition keys for Amazon Redshift](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshift.html) that use the `redshift:` prefix.
+ For Amazon Redshift Serverless, see [Actions, resources, and condition keys for Amazon Redshift Serverless](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshiftserverless.html) that use the `redshift-serverless:` prefix.
+ For Amazon Redshift Data API, see [Actions, resources, and condition keys for Amazon Redshift Data API](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshiftdataapi.html) that use the `redshift-data:` prefix.
+ For Amazon Redshift query editor v2, see [Actions, resources, and condition keys for AWS SQL Workbench (Amazon Redshift query editor v2)](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssqlworkbench.html) that use the `sqlworkbench:` prefix.
The query editor v2 includes permission-only actions that don't directly correspond to an API operation. These actions are indicated in the *Service Authorization Reference* with `[permission only]`.
The *Service Authorization Reference* contains information about which API operations can be used in an IAM policy. It also includes the AWS resource for which you can grant the permissions, and condition keys that you can include for fine-grained access control. For more information about conditions, see [Using IAM policy conditions for fine-grained access control](#redshift-policy-resources.conditions).
You specify the actions in the policy's `Action` field, the resource value in the policy's `Resource` field, and conditions in the policy's `Condition` field. To specify an action for Amazon Redshift, use the `redshift:` prefix followed by the API operation name (for example, `redshift:CreateCluster`).
## Understanding resource ownership
A *resource owner* is the AWS account that created a resource. That is, the resource owner is the AWS account of the *principal entity* (the root account, an IAM user, or an IAM role) that authenticates the request that creates the resource. The following examples illustrate how this works:
+ If you use the root account credentials of your AWS account to create a DB cluster, your AWS account is the owner of the Amazon Redshift resource.
+ If you create an IAM role in your AWS account with permissions to create Amazon Redshift resources, anyone who can assume the role can create Amazon Redshift resources. Your AWS account, to which the role belongs, owns the Amazon Redshift resources.
+ If you create an IAM user in your AWS account and grant permissions to create Amazon Redshift resources to that user, the user can create Amazon Redshift resources. However, your AWS account, to which the user belongs, owns the Amazon Redshift resources. In most cases this method isn't recommended. We recommend creating an IAM role and attaching permissions to the role, then assigning the role to a user.
## Managing access to resources
A *permissions policy* describes who has access to what. The following section explains the available options for creating permissions policies.
**Note**
This section discusses using IAM in the context of Amazon Redshift. It doesn't provide detailed information about the IAM service. For complete IAM documentation, see [What is IAM?](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) in the *IAM User Guide*. For information about IAM policy syntax and descriptions, see [AWS IAM policy reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
Policies attached to an IAM identity are referred to as *identity-based* policies (IAM policies) and policies attached to a resource are referred to as *resource-based* policies. Amazon Redshift supports only identity-based policies (IAM policies).
### Identity-based policies (IAM policies)
You can assign permissions by attaching polices to an IAM role and then assigning that role to a user or group. The following is an example policy that containing permissions to create, delete, modify, and reboot Amazon Redshift clusters for your AWS account.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"AllowManageClusters",
"Effect":"Allow",
"Action": [
"redshift:CreateCluster",
"redshift:DeleteCluster",
"redshift:ModifyCluster",
"redshift:RebootCluster"
],
"Resource":"*"
}
]
}
```
------
For more information about using identity-based policies with Amazon Redshift, see [Using identity-based policies (IAM policies) for Amazon Redshift](redshift-iam-access-control-identity-based.md). For more information about users, groups, roles, and permissions, see [Identities (users, groups, and roles)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html) in the *IAM User Guide*.
### Resource-based policies
Other services, such as Amazon S3, also support resource-based permissions policies. For example, you can attach a policy to an S3 bucket to manage access permissions to that bucket. Amazon Redshift doesn't support resource-based policies.
## Specifying policy elements: Actions, effects, resources, and principals
For each Amazon Redshift resource (see [Amazon Redshift resources and operations](#redshift-iam-accesscontrol.actions-and-resources)), the service defines a set of API operations (see [Actions](https://docs.aws.amazon.com/redshift/latest/APIReference/API_Operations.html)). To grant permissions for these API operations, Amazon Redshift defines a set of actions that you can specify in a policy. Performing an API operation can require permissions for more than one action.
The following are the basic policy elements:
+ **Resource** – In a policy, you use an Amazon Resource Name (ARN) to identify the resource to which the policy applies. For more information, see [Amazon Redshift resources and operations](#redshift-iam-accesscontrol.actions-and-resources).
+ **Action** – You use action keywords to identify resource operations that you want to allow or deny. For example, the `redshift:DescribeClusters` permission allows the user permissions to perform the Amazon Redshift `DescribeClusters` operation.
+ **Effect** – You specify the effect when the user requests the specific action—this can be either allow or deny. If you don't explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource, which you might do to make sure that a user cannot access it, even if a different policy grants access.
+ **Principal** – In identity-based policies (IAM policies), the user that the policy is attached to is the implicit principal. For resource-based policies, you specify the user, account, service, or other entity that you want to receive permissions (applies to resource-based policies only). Amazon Redshift doesn't support resource-based policies.
To learn more about IAM policy syntax and descriptions, see [AWS IAM policy reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) in the *IAM User Guide*.
For a table showing all of the Amazon Redshift API actions and the resources that they apply to, see [Amazon Redshift, Amazon Redshift Serverless, Amazon Redshift Data API, and Amazon Redshift query editor v2 access permissions](#redshift-policy-resources.resource-permissions).
## Specifying conditions in a policy
When you grant permissions, you can use the access policy language to specify the conditions when a policy should take effect. For example, you might want a policy to be applied only after a specific date. For more information about specifying conditions in an access policy language, see [IAM JSON policy elements: Condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html) in the *IAM User Guide*.
To identify conditions where a permissions policy applies, include a `Condition` element in your IAM permissions policy. For example, you can create a policy that permits a user to create a cluster using the `redshift:CreateCluster` action, and you can add a `Condition` element to restrict that user to only create the cluster in a specific region. For details, see [Using IAM policy conditions for fine-grained access control](#redshift-policy-resources.conditions). For a list showing all of condition key values and the Amazon Redshift actions and resources that they apply to, see [Amazon Redshift, Amazon Redshift Serverless, Amazon Redshift Data API, and Amazon Redshift query editor v2 access permissions](#redshift-policy-resources.resource-permissions).
### Using IAM policy conditions for fine-grained access control
In Amazon Redshift, you can use condition keys to restrict access to resources based on the tags for those resources. The following are common Amazon Redshift condition keys.
| Condition key | Description |
| --- | --- |
| `aws:RequestTag` | Requires users to include a tag key (name) and value whenever they create a resource. For more information, see [aws:RequestTag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-requesttag) in the *IAM User Guide*. |
| `aws:ResourceTag` | Restricts user access to resources based on specific tag keys and values. For more information, see [aws:ResourceTag](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-resourcetag) in the *IAM User Guide*. |
| `aws:TagKeys` | Use this key to compare the tag keys in a request with the keys that you specify in the policy. For more information, see [aws:TagKeys](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-tagkeys) in the *IAM User Guide*. |
For information on tags, see [Tag resources in Amazon Redshift](amazon-redshift-tagging.md).
For a list of the API actions that support the `redshift:RequestTag` and `redshift:ResourceTag` condition keys, see [Amazon Redshift, Amazon Redshift Serverless, Amazon Redshift Data API, and Amazon Redshift query editor v2 access permissions](#redshift-policy-resources.resource-permissions).
The following condition keys can be used with the Amazon Redshift GetClusterCredentials action.
| Condition key | Description |
| --- | --- |
| `redshift:DurationSeconds` | Limits the number of seconds that can be specified for duration. |
| `redshift:DbName` | Restricts database names that can be specified. |
| `redshift:DbUser` | Restricts database user names that can be specified. |
#### Example 1: Restricting access by using the aws:ResourceTag condition key
Use the following IAM policy to let a user modify an Amazon Redshift cluster only for a specific AWS account in the `us-west-2` region with a tag named `environment` with a tag value of `test`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Sid":"AllowModifyTestCluster",
"Effect": "Allow",
"Action": "redshift:ModifyCluster",
"Resource": "arn:aws:redshift:us-west-2:123456789012:cluster:*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/environment": "test"
}
}
}
}
```
------
#### Example 2: Restricting access by using the aws:RequestTag condition key
Use the following IAM policy to let a user create an Amazon Redshift cluster only if the command to create the cluster includes a tag named `usage` and a tag value of `production`. The condition with `aws:TagKeys` and the `ForAllValues` modifier specifies that only the keys `costcenter` and `usage` can be specified in the request.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Sid":"AllowCreateProductionCluster",
"Effect": "Allow",
"Action": [
"redshift:CreateCluster",
"redshift:CreateTags"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestTag/usage": "production"
},
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"costcenter",
"usage"
]
}
}
}
}
```
------
# Using identity-based policies (IAM policies) for Amazon Redshift
This topic provides examples of identity-based policies in which an account administrator can attach permissions policies to IAM identities (that is, users, groups, and roles).
**Important**
We recommend that you first review the introductory topics that explain the basic concepts and options available for you to manage access to your Amazon Redshift resources. For more information, see [Overview of managing access permissions to your Amazon Redshift resources](redshift-iam-access-control-overview.md).
The following shows an example of a permissions policy. The policy allows a user to create, delete, modify, and reboot all clusters, and then denies permission to delete or modify any clusters where the cluster identifier starts with `production` in AWS Region `us-west-2` and AWS account `123456789012`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"AllowClusterManagement",
"Action": [
"redshift:CreateCluster",
"redshift:DeleteCluster",
"redshift:ModifyCluster",
"redshift:RebootCluster"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid":"DenyDeleteModifyProtected",
"Action": [
"redshift:DeleteCluster",
"redshift:ModifyCluster"
],
"Resource": [
"arn:aws:redshift:us-west-2:123456789012:cluster:production*"
],
"Effect": "Deny"
}
]
}
```
------
The policy has two statements:
+ The first statement grants permissions for a user to a user to create, delete, modify, and reboot clusters. The statement specifies a wildcard character (\$1) as the `Resource` value so that the policy applies to all Amazon Redshift resources owned by the root AWS account.
+ The second statement denies permission to delete or modify a cluster. The statement specifies a cluster Amazon Resource Name (ARN) for the `Resource` value that includes a wildcard character (\$1). As a result, this statement applies to all Amazon Redshift clusters owned by the root AWS account where the cluster identifier begins with `production`.
## AWS managed policies for Amazon Redshift
AWS addresses many common use cases by providing standalone IAM policies that are created and administered by AWS. Managed policies grant necessary permissions for common use cases so you can avoid having to investigate what permissions are needed. For more information, see [AWS managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies) in the *IAM User Guide*.
You can also create your own custom IAM policies to allow permissions for Amazon Redshift API operations and resources. You can attach these custom policies to the IAM roles or groups that require those permissions.
The following sections describe AWS managed policies, which you can attach to users in your account, and are specific to Amazon Redshift.
## Amazon Redshift updates to AWS managed policies
View details about updates to AWS managed policies for Amazon Redshift since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Amazon Redshift Document history page.
| Change | Description | Date |
| --- | --- | --- |
| [AmazonRedshiftFederatedAuthorization](#redshift-policy-managed-policies-federated-authorization) – New policy | Amazon Redshift added a new ease-of-use policy policy for running queries with Amazon Redshift Federated Authorization. | November 21, 2025 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | Permission for the action `lakeformation:GetDataAccess` is added to the managed policy. Adding it grants permission to get federated catalog information from AWS Lake Formation. Additional conditions for the actions `glue:GetCatalog` and `glue:GetCatalogs` are added to the managed policy. | March 13, 2025 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | Permission for the actions `glue:GetCatalog` and `glue:GetCatalogs` are added to the managed policy. Adding them grants permission to get catalog information from AWS Glue. | December 3, 2024 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | Permission for the action `servicequotas:GetServiceQuota` is added to the managed policy. This gives permission to access quotas or limits. | March 8, 2024 |
| [AmazonRedshiftQueryEditorV2FullAccess](#redshift-policy-managed-policies-query-editor-V2) – Update to an existing policy | Permission for the actions `redshift-serverless:ListNamespaces` and `redshift-serverless:ListWorkgroups` are added to the managed policy. Adding them grants permission to list serverless namespaces and serverless workgroups in the Amazon Redshift data warehouse. | February 21, 2024 |
| [AmazonRedshiftQueryEditorV2NoSharing](#redshift-policy-managed-policies-query-editor-V2-no-sharing) – Update to an existing policy | Permission for the actions `redshift-serverless:ListNamespaces` and `redshift-serverless:ListWorkgroups` are added to the managed policy. Adding them grants permission to list serverless namespaces and serverless workgroups in the Amazon Redshift data warehouse. | February 21, 2024 |
| [AmazonRedshiftQueryEditorV2ReadSharing](#redshift-policy-managed-policies-query-editor-V2-read-sharing) – Update to an existing policy | Permission for the actions `redshift-serverless:ListNamespaces` and `redshift-serverless:ListWorkgroups` are added to the managed policy. Adding them grants permission to list serverless namespaces and serverless workgroups in the Amazon Redshift data warehouse. | February 21, 2024 |
| [AmazonRedshiftQueryEditorV2ReadWriteSharing](#redshift-policy-managed-policies-query-editor-V2-write-sharing) – Update to an existing policy | Permission for the actions `redshift-serverless:ListNamespaces` and `redshift-serverless:ListWorkgroups` are added to the managed policy. Adding them grants permission to list serverless namespaces and serverless workgroups in the Amazon Redshift data warehouse. | February 21, 2024 |
| [AmazonRedshiftReadOnlyAccess](#redshift-policy-managed-policies-read-only) – Update to an existing policy | Permission for the action `redshift:ListRecommendations` is added to the managed policy. This grants permission to list Amazon Redshift Advisor recommendations. | February 7, 2024 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | Permission for the actions `ec2:AssignIpv6Addresses` and `ec2:UnassignIpv6Addresses` are added to the managed policy. Adding them grants permission to assign and unassign IP addresses. | October 31, 2023 |
| [AmazonRedshiftQueryEditorV2NoSharing](#redshift-policy-managed-policies-query-editor-V2-no-sharing) – Update to an existing policy | Permission for the actions `sqlworkbench:GetAutocompletionMetadata` and `sqlworkbench:GetAutocompletionResource` are added to the managed policy. Adding them grants permission to generate and retrieve database information for auto-completion of SQL while editing queries. | August 16, 2023 |
| [AmazonRedshiftQueryEditorV2ReadSharing](#redshift-policy-managed-policies-query-editor-V2-read-sharing) – Update to an existing policy | Permission for the actions `sqlworkbench:GetAutocompletionMetadata` and `sqlworkbench:GetAutocompletionResource` are added to the managed policy. Adding them grants permission to generate and retrieve database information for auto-completion of SQL while editing queries. | August 16, 2023 |
| [AmazonRedshiftQueryEditorV2ReadWriteSharing](#redshift-policy-managed-policies-query-editor-V2-write-sharing) – Update to an existing policy | Permission for the actions `sqlworkbench:GetAutocompletionMetadata` and `sqlworkbench:GetAutocompletionResource` are added to the managed policy. Adding them grants permission to generate and retrieve database information for auto-completion of SQL while editing queries. | August 16, 2023 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | Permissions for actions on AWS Secrets Manager to create and manage secrets are added to the managed policy. Added permissions are the following: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-identity-based.html) | August 14, 2023 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | Permissions for actions on Amazon EC2 to create and manage security groups and routing rules are removed from the managed policy. These permissions pertained to creating subnets and VPCs. Removed permissions are the following: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-identity-based.html) These were associated with the Purpose:RedshiftMigrateToVpc resource tag. The tag limited the scope of permissions to tasks for Amazon EC2 Classic to Amazon EC2 VPC migration. For more information about resource tags, see [Controlling access to AWS resources using tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html). | May 08, 2023 |
| [AmazonRedshiftDataFullAccess](#redshift-policy-managed-policies-data-full-access) – Update to an existing policy | Permission for the action `redshift:GetClusterCredentialsWithIAM` is added to the managed policy. Adding it grants permission to get enhanced temporary credentials to access an Amazon Redshift database by the specified AWS account. | April 7, 2023 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | Permissions for the actions on Amazon EC2 for creation and management of security group rules are added to the managed policy. These security groups and rules ares specifically associated with the Amazon Redshift `aws:RequestTag/Redshift` resource tag. This limits the scope of the permissions to specific Amazon Redshift resources. | April 06, 2023 |
| [AmazonRedshiftQueryEditorV2NoSharing](#redshift-policy-managed-policies-query-editor-V2-no-sharing) – Update to an existing policy | Permission for the action `sqlworkbench:GetSchemaInference` is added to the managed policy. Adding it grants permission to get the columns and data types inferred from a file. | March 21, 2023 |
| [AmazonRedshiftQueryEditorV2ReadSharing](#redshift-policy-managed-policies-query-editor-V2-read-sharing) – Update to an existing policy | Permission for the action `sqlworkbench:GetSchemaInference` is added to the managed policy. Adding it grants permission to get the columns and data types inferred from a file. | March 21, 2023 |
| [AmazonRedshiftQueryEditorV2ReadWriteSharing](#redshift-policy-managed-policies-query-editor-V2-write-sharing) – Update to an existing policy | Permission for the action `sqlworkbench:GetSchemaInference` is added to the managed policy. Adding it grants permission to get the columns and data types inferred from a file. | March 21, 2023 |
| [AmazonRedshiftQueryEditorV2NoSharing](#redshift-policy-managed-policies-query-editor-V2-no-sharing) – Update to an existing policy | Permission for the action `sqlworkbench:AssociateNotebookWithTab` is added to the managed policy. Adding it grants permission to create and update tabs linked to a user's own notebook. | February 2, 2023 |
| [AmazonRedshiftQueryEditorV2ReadSharing](#redshift-policy-managed-policies-query-editor-V2-read-sharing) – Update to an existing policy | Permission for the action `sqlworkbench:AssociateNotebookWithTab` is added to the managed policy. Adding it grants permission to create and update tabs linked to a user's own notebook or to a notebook that is shared with them. | February 2, 2023 |
| [AmazonRedshiftQueryEditorV2ReadWriteSharing](#redshift-policy-managed-policies-query-editor-V2-write-sharing) – Update to an existing policy | Permission for the action `sqlworkbench:AssociateNotebookWithTab` is added to the managed policy. Adding it grants permission to create and update tabs linked to a user's own notebook or to a notebook that is shared with them. | February 2, 2023 |
| [AmazonRedshiftQueryEditorV2NoSharing](#redshift-policy-managed-policies-query-editor-V2-no-sharing) – Update to an existing policy | To grant permission to use notebooks, Amazon Redshift added permission for the following actions: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-identity-based.html) | October 17, 2022 |
| [AmazonRedshiftQueryEditorV2ReadSharing](#redshift-policy-managed-policies-query-editor-V2-read-sharing) – Update to an existing policy | To grant permission to use notebooks, Amazon Redshift added permission for the following actions: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-identity-based.html) | October 17, 2022 |
| [AmazonRedshiftQueryEditorV2ReadWriteSharing](#redshift-policy-managed-policies-query-editor-V2-write-sharing) – Update to an existing policy | To grant permission to use notebooks, Amazon Redshift added permission for the following actions: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-identity-based.html) | October 17, 2022 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | Amazon Redshift added the namespace `AWS/Redshift` to allow publishing metrics to CloudWatch. | September 7, 2022 |
| [AmazonRedshiftQueryEditorV2NoSharing](#redshift-policy-managed-policies-query-editor-V2-no-sharing) – Update to an existing policy | Amazon Redshift added permission to the actions `sqlworkbench:ListQueryExecutionHistory` and `sqlworkbench:GetQueryExecutionHistory`. This grants permission to see query history. | August 30, 2022 |
| [AmazonRedshiftQueryEditorV2ReadSharing](#redshift-policy-managed-policies-query-editor-V2-read-sharing) – Update to an existing policy | Amazon Redshift added permission to the actions `sqlworkbench:ListQueryExecutionHistory` and `sqlworkbench:GetQueryExecutionHistory`. This grants permission to see query history. | August 30, 2022 |
| [AmazonRedshiftQueryEditorV2ReadWriteSharing](#redshift-policy-managed-policies-query-editor-V2-write-sharing) – Update to an existing policy | Amazon Redshift added permission to the actions `sqlworkbench:ListQueryExecutionHistory` and `sqlworkbench:GetQueryExecutionHistory`. This grants permission to see query history. | August 30, 2022 |
| [AmazonRedshiftFullAccess](#redshift-policy-managed-policies-full-access) – Update to an existing policy | Permissions for Amazon Redshift Serverless are added to the existing AmazonRedshiftFullAccess managed policy. | July 22, 2022 |
| [AmazonRedshiftDataFullAccess](#redshift-policy-managed-policies-data-full-access) – Update to an existing policy | Amazon Redshift updated redshift-serverless:GetCredentials default scoping condition of tag aws:ResourceTag/RedshiftDataFullAccess permission from StringEquals to StringLike to grant access to resources tagged with tag key RedshiftDataFullAccess and any tag value. | July 11, 2022 |
| [AmazonRedshiftDataFullAccess](#redshift-policy-managed-policies-data-full-access) – Update to an existing policy | Amazon Redshift added new permissions to allow redshift-serverless:GetCredentials for temporary credentials to Amazon Redshift Serverless. | July 8, 2022 |
| [AmazonRedshiftQueryEditorV2NoSharing](#redshift-policy-managed-policies-query-editor-V2-no-sharing) – Update to an existing policy | Amazon Redshift added permission to the action `sqlworkbench:GetAccountSettings`. This grants permission to get account settings. | June 15, 2022 |
| [AmazonRedshiftQueryEditorV2ReadSharing](#redshift-policy-managed-policies-query-editor-V2-read-sharing) – Update to an existing policy | Amazon Redshift added permission to the action `sqlworkbench:GetAccountSettings`. This grants permission to get account settings. | June 15, 2022 |
| [AmazonRedshiftQueryEditorV2ReadWriteSharing](#redshift-policy-managed-policies-query-editor-V2-write-sharing) – Update to an existing policy | Amazon Redshift added permission to the action `sqlworkbench:GetAccountSettings`. This grants permission to get account settings. | June 15, 2022 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | To enable public access to new Amazon Redshift Serverless endpoints, Amazon Redshift allocates and associates Elastic IP addresses to the VPC endpoint's Elastic network interface in the customer account. It does this via permissions provided through the service linked role. To enable this use case, actions to allocate and release an Elastic IP address are added to the Amazon Redshift Serverless service linked role. | May 26, 2022 |
| [AmazonRedshiftQueryEditorV2FullAccess](#redshift-policy-managed-policies-query-editor-V2) – Update to an existing policy | Permissions to the action `sqlworkbench:ListTaggedResources`. It is scoped specifically to Amazon Redshift query editor v2 resources. This policy update gives the right to call `tag:GetResources` only through query editor v2. | February 22, 2022 |
| [AmazonRedshiftQueryEditorV2NoSharing](#redshift-policy-managed-policies-query-editor-V2-no-sharing) – Update to an existing policy | Permissions to the action `sqlworkbench:ListTaggedResources`. It is scoped specifically to Amazon Redshift query editor v2 resources. This policy update gives the right to call `tag:GetResources` only through query editor v2. | February 22, 2022 |
| [AmazonRedshiftQueryEditorV2ReadSharing](#redshift-policy-managed-policies-query-editor-V2-read-sharing) – Update to an existing policy | Permissions to the action `sqlworkbench:ListTaggedResources`. It is scoped specifically to Amazon Redshift query editor v2 resources. This policy update gives the right to call `tag:GetResources` only through query editor v2. | February 22, 2022 |
| [AmazonRedshiftQueryEditorV2ReadWriteSharing](#redshift-policy-managed-policies-query-editor-V2-write-sharing) – Update to an existing policy | Permissions to the action `sqlworkbench:ListTaggedResources`. It is scoped specifically to Amazon Redshift query editor v2 resources. This policy update gives the right to call `tag:GetResources` only through query editor v2. | February 22, 2022 |
| [AmazonRedshiftQueryEditorV2ReadSharing](#redshift-policy-managed-policies-query-editor-V2-read-sharing) – Update to an existing policy | Permission for the action `sqlworkbench:AssociateQueryWithTab` is added to the managed policy. Adding it allows customers to create editor tabs linked to a query that is shared with them. | February 22, 2022 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | Amazon Redshift added permissions for new actions to allow management of Amazon Redshift network and VPC resources. | November 22, 2021 |
| [AmazonRedshiftAllCommandsFullAccess](#redshift-policy-managed-policies-service-linked-role-commands) – New policy | Amazon Redshift added a new policy to allow using the IAM role created from the Amazon Redshift console and set it as default for the cluster to run the COPY from Amazon S3, UNLOAD, CREATE EXTERNAL SCHEMA, CREATE EXTERNAL FUNCTION, CREATE MODEL, or CREATE LIBRARY commands. | November 18, 2021 |
| [AmazonRedshiftServiceLinkedRolePolicy](#redshift-policy-managed-policies-service-linked-role-policy) – Update to an existing policy | Amazon Redshift added permissions for new actions to allow management of Amazon Redshift CloudWatch log groups and log streams, including audit-log export. | November 15, 2021 |
| [AmazonRedshiftFullAccess](#redshift-policy-managed-policies-full-access) – Update to an existing policy | Amazon Redshift added new permissions to allow model explainability, DynamoDB, Redshift Spectrum, and Amazon RDS federation. | October 07, 2021 |
| [AmazonRedshiftQueryEditorV2FullAccess](#redshift-policy-managed-policies-query-editor-V2) – New policy | Amazon Redshift added a new policy to allow full access to Amazon Redshift query editor v2. | September 24, 2021 |
| [AmazonRedshiftQueryEditorV2NoSharing](#redshift-policy-managed-policies-query-editor-V2-no-sharing) – New policy | Amazon Redshift added a new policy to allow using Amazon Redshift query editor v2 without sharing resources. | September 24, 2021 |
| [AmazonRedshiftQueryEditorV2ReadSharing](#redshift-policy-managed-policies-query-editor-V2-read-sharing) – New policy | Amazon Redshift added a new policy to allow read sharing within Amazon Redshift query editor v2. | September 24, 2021 |
| [AmazonRedshiftQueryEditorV2ReadWriteSharing](#redshift-policy-managed-policies-query-editor-V2-write-sharing) – New policy | Amazon Redshift added a new policy to allow read and update sharing within Amazon Redshift query editor v2. | September 24, 2021 |
| [AmazonRedshiftFullAccess](#redshift-policy-managed-policies-full-access) – Update to an existing policy | Amazon Redshift added new permissions to allow `sagemaker:*Job*`. | August 18, 2021 |
| [AmazonRedshiftDataFullAccess](#redshift-policy-managed-policies-data-full-access) – Update to an existing policy | Amazon Redshift added new permissions to allow `AuthorizeDataShare`. | August 12, 2021 |
| [AmazonRedshiftDataFullAccess](#redshift-policy-managed-policies-data-full-access) – Update to an existing policy | Amazon Redshift added new permissions to allow `BatchExecuteStatement`. | July 27, 2021 |
| Amazon Redshift started tracking changes | Amazon Redshift started tracking changes for its AWS managed policies. | July 27, 2021 |
## AmazonRedshiftReadOnlyAccess
Grants read-only access to all Amazon Redshift resources for an AWS account.
You can find the [AmazonRedshiftReadOnlyAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftReadOnlyAccess) policy on the IAM console and [AmazonRedshiftReadOnlyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonRedshiftReadOnlyAccess.html) in the *AWS Managed Policy Reference Guide*.
## AmazonRedshiftFullAccess
Grants full access to all Amazon Redshift resources for an AWS account. Additionally, this policy grants full access to all Amazon Redshift Serverless resources.
You can find the [AmazonRedshiftFullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftFullAccess) policy on the IAM console and [AmazonRedshiftFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonRedshiftFullAccess.html) in the *AWS Managed Policy Reference Guide*.
## AmazonRedshiftQueryEditor
Grants full access to the query editor on the Amazon Redshift console.
You can find the [AmazonRedshiftQueryEditor](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftQueryEditor) policy on the IAM console and [AmazonRedshiftQueryEditor](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonRedshiftQueryEditor.html) in the *AWS Managed Policy Reference Guide*.
## AmazonRedshiftDataFullAccess
Grants full access to the Amazon Redshift Data API operations and resources for an AWS account.
You can find the [AmazonRedshiftDataFullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftDataFullAccess) policy on the IAM console and [AmazonRedshiftDataFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonRedshiftDataFullAccess.html) in the *AWS Managed Policy Reference Guide*.
## AmazonRedshiftQueryEditorV2FullAccess
Grants full access to the Amazon Redshift query editor v2 operations and resources. This policy also grants access to other required services.
You can find the [AmazonRedshiftQueryEditorV2FullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftQueryEditorV2FullAccess) policy on the IAM console and [AmazonRedshiftQueryEditorV2FullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonRedshiftQueryEditorV2FullAccess.html) in the *AWS Managed Policy Reference Guide*.
## AmazonRedshiftQueryEditorV2NoSharing
Grants the ability to work with Amazon Redshift query editor v2 without sharing resources. This policy also grants access to other required services. The principal using this policy can't tag its resources (such as queries) to share them with other principals in the same AWS account.
You can find the [AmazonRedshiftQueryEditorV2NoSharing](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftQueryEditorV2NoSharing) policy on the IAM console and [AmazonRedshiftQueryEditorV2NoSharing](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonRedshiftQueryEditorV2NoSharing.html) in the *AWS Managed Policy Reference Guide*.
## AmazonRedshiftQueryEditorV2ReadSharing
Grants the ability to work with Amazon Redshift query editor v2 with limited sharing of resources. This policy also grants access to other required services. The principal using this policy can tag its resources (such as queries) to share them with other principals in the same AWS account. The granted principal can read the resources shared with its team but can't update them.
You can find the [AmazonRedshiftQueryEditorV2ReadSharing](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftQueryEditorV2ReadSharing) policy on the IAM console and [AmazonRedshiftQueryEditorV2ReadSharing](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonRedshiftQueryEditorV2ReadSharing.html) in the *AWS Managed Policy Reference Guide*.
## AmazonRedshiftQueryEditorV2ReadWriteSharing
Grants the ability to work with Amazon Redshift query editor v2 with sharing of resources. This policy also grants access to other required services. The principal using this policy can tag its resources (such as queries) to share them with other principals in the same AWS account. The granted principal can read and update the resources shared with its team.
You can find the [AmazonRedshiftQueryEditorV2ReadWriteSharing](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftQueryEditorV2ReadWriteSharing) policy on the IAM console and [AmazonRedshiftQueryEditorV2ReadWriteSharing](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonRedshiftQueryEditorV2ReadWriteSharing.html) in the *AWS Managed Policy Reference Guide*.
## AmazonRedshiftServiceLinkedRolePolicy
You can't attach AmazonRedshiftServiceLinkedRolePolicy to your IAM entities. This policy is attached to a service-linked role that allows Amazon Redshift to access account resources. For more information, see [Using service-linked roles for Amazon Redshift](https://docs.aws.amazon.com/redshift/latest/mgmt/using-service-linked-roles.html).
You can find the [AmazonRedshiftServiceLinkedRolePolicy](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftServiceLinkedRolePolicy) policy on the IAM console and [AmazonRedshiftServiceLinkedRolePolicy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonRedshiftServiceLinkedRolePolicy.html) in the *AWS Managed Policy Reference Guide*.
## AmazonRedshiftAllCommandsFullAccess
Grants the ability to use the IAM role created from the Amazon Redshift console and set it as default for the cluster to run the COPY from Amazon S3, UNLOAD, CREATE EXTERNAL SCHEMA, CREATE EXTERNAL FUNCTION, and CREATE MODEL commands. The policy also grants permissions to run SELECT statements for related services, such as Amazon S3, CloudWatch Logs, Amazon SageMaker AI, or AWS Glue.
You can find the [AmazonRedshiftAllCommandsFullAccess](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftAllCommandsFullAccess) policy on the IAM console and [AmazonRedshiftAllCommandsFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonRedshiftAllCommandsFullAccess.html) in the *AWS Managed Policy Reference Guide*.
## AmazonRedshiftFederatedAuthorization
The policy consolidates IAM actions needed to run a query against a Glue Data Catalog database with Amazon Redshift Federated Permissions. Such query goes through AWS Glue and therefore needs Get actions on catalog objects to discover the objects, and Create, Update, Rename and Delete actions to modify the objects. Note that the resources are managed by Amazon Redshift, therefore the principal will also need Redshift permissions to complete the query. `glue:FederateAuthorization` action allows AWS Glue to delegate authorization decisions on the catalog objects to Amazon Redshift.
This policy allows the principal to run queries against the catalog with Amazon Redshift Federated Permissions, but does not allow Registering and Unregistering the Amazon Redshift namespace to AWS Glue. Refer to documentation on IAM Policy Requirements for Amazon Redshift Federated Permissions Setup.
You can find the [AmazonRedshiftFederatedAuthorization](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftFederatedAuthorization) policy on the IAM console and [AmazonRedshiftFederatedAuthorization](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonRedshiftFederatedAuthorization.html) in the *AWS Managed Policy Reference Guide*.
You can also create your own custom IAM policies to allow permissions for Amazon Redshift API operations and resources. You can attach these custom policies to the IAM roles or groups that require those permissions.
## Permissions required to use Redshift Spectrum
Amazon Redshift Spectrum requires permissions to other AWS services to access resources. For details about permissions in IAM policies for Redshift Spectrum, see [IAM policies for Amazon Redshift Spectrum](https://docs.aws.amazon.com/redshift/latest/dg/c-spectrum-iam-policies.html) in the *Amazon Redshift Database Developer Guide.*
## Permissions required to use the Amazon Redshift console
For a user to work with the Amazon Redshift console, that user must have a minimum set of permissions that allows the user to describe the Amazon Redshift resources for their AWS account. These permissions must also allow the user to describe other related information, including Amazon EC2 security, Amazon CloudWatch, Amazon SNS, and network information.
If you create an IAM policy that is more restrictive than the minimum required permissions, the console doesn't function as intended for users with that IAM policy. To ensure that those users can still use the Amazon Redshift console, also attach the `AmazonRedshiftReadOnlyAccess` managed policy to the user. How to do this is described in [AWS managed policies for Amazon Redshift](#redshift-policy-resources.managed-policies).
For information to give a user access to the query editor on the Amazon Redshift console, see [Permissions required to use the Amazon Redshift console query editor](#redshift-policy-resources.required-permissions.query-editor).
You don't need to allow minimum console permissions for users that are making calls only to the AWS CLI or the Amazon Redshift API.
## Permissions required to use the Amazon Redshift console query editor
For a user to work with the Amazon Redshift query editor, that user must have a minimum set of permissions to Amazon Redshift and Amazon Redshift Data API operations. To connect to a database using a secret, you must also have Secrets Manager permissions.
To give a user access to the query editor on the Amazon Redshift console, attach the `AmazonRedshiftQueryEditor` and `AmazonRedshiftReadOnlyAccess` AWS managed policies. The `AmazonRedshiftQueryEditor` policy allows the user permission to retrieve the results of only their own SQL statements. That is, statements submitted by the same `aws:userid` as shown in this section of the `AmazonRedshiftQueryEditor` AWS managed policy.
```
{
"Sid":"DataAPIIAMStatementPermissionsRestriction",
"Action": [
"redshift-data:GetStatementResult",
"redshift-data:CancelStatement",
"redshift-data:DescribeStatement",
"redshift-data:ListStatements"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"StringEquals": {
"redshift-data:statement-owner-iam-userid": "${aws:userid}"
}
}
}
```
To allow a user to retrieve the results of SQL statements of others in the same IAM role, create your own policy without the condition to limit access to the current user. Also limit access to change a policy to an administrator.
## Permissions required to use the query editor v2
For a user to work with the Amazon Redshift query editor v2, that user must have a minimum set of permissions to Amazon Redshift, the query editor v2 operations, and other AWS services such as AWS Key Management Service, AWS Secrets Manager, and tagging service.
To give a user full access to the query editor v2, attach the `AmazonRedshiftQueryEditorV2FullAccess` AWS managed policy. The `AmazonRedshiftQueryEditorV2FullAccess` policy allows the user permission to share query editor v2 resources, such as queries, with others in the same team. For details about how access to query editor v2 resources are controlled, see the definition of the specific managed policy for query editor v2 in the IAM console.
Some Amazon Redshift query editor v2 AWS managed policies use AWS tags within conditions to scope access to resources. Within query editor v2, sharing queries is based on the tag key and value `"aws:ResourceTag/sqlworkbench-team": "${aws:PrincipalTag/sqlworkbench-team}"` in the IAM policy attached to principal (the IAM role). Principals in the same AWS account with the same tag value (for example, `accounting-team`), are on the same team in query editor v2. You can only be associated with one team at a time. A user with administrative permissions can set up teams in the IAM console by giving all team members the same value for the `sqlworkbench-team` tag. If the tag value of the `sqlworkbench-team` is changed for an IAM user or an IAM role, there might be a delay until the change is reflected in shared resources. If the tag value of a resource (such as a query) is changed, again there might be a delay until the change is reflected. Team members must also have the `tag:GetResources` permission to share.
**Example: To add the `accounting-team` tag for an IAM role**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane of the console, choose **Roles** and then choose the name of the role that you want to edit.
1. Choose the **Tags** tab and then choose **Add tags**.
1. Add the tag key **sqlworkbench-team** and the value `accounting-team`.
1. Choose **Save changes**.
Now when an IAM principal (with this IAM role attached) shares a query with the team, other principals with the same `accounting-team` tag value can view the query.
For more information on how to attach a tag to a principal, including IAM roles and IAM users, see [Tagging IAM resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_tags.html) in the *IAM User Guide*.
You can also set up teams at the session level using an Identity Provider (IdP). This allows multiple users using the same IAM role to have different team. The IAM role trust policy must allow the `sts:TagSession` operation. For more information, see [Permissions required to add session tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_permissions-required) in the *IAM User Guide*. Add the principal tag attribute to the SAML assertion provided by your IdP.
```
accounting-team
```
Follow the instructions for your Identity provider (IdP) to populate the SAML attribute with the content coming from your directory. For more information about Identity providers (IdPs) and Amazon Redshift, see [Using IAM authentication to generate database user credentials](generating-user-credentials.md) and [Identity providers and federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) in the *IAM User Guide*.
The `sqlworkbench:CreateNotebookVersion` grants permission to get the current content of notebook cells and create a notebook version on your account. Meaning, at the time of version creation, the current content of the notebook is the same as the version’s content. Later on, the content of the cells in the version stay the same as the current notebook is updated. The `sqlworkbench:GetNotebookVersion` grants permission to get a version of the notebook. A user who doesn’t have `sqlworkbench:BatchGetNotebookCell` permission but has `sqlworkbench:CreateNotebookVersion` and `sqlworkbench:GetNotebookVersion` permissions on a notebook has access to notebook cells in the version. This user without the `sqlworkbench:BatchGetNotebookCell` permission is still able to retrieve the content of a notebook’s cells by first creating a version and then getting this created version.
## Permissions required to use the Amazon Redshift scheduler
When you use the Amazon Redshift scheduler, you set up an IAM role with a trust relationship to the Amazon Redshift scheduler (**scheduler.redshift.amazonaws.com**) to allow the scheduler to assume permissions on your behalf. You also attach a policy (permissions) to the role for the Amazon Redshift API operations that you want to schedule.
The following example shows the policy document in JSON format to set up a trust relationship with the Amazon Redshift scheduler and Amazon Redshift.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"scheduler.redshift.amazonaws.com",
"redshift.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
------
For more information about trust entities, see [Creating a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*.
You also must add permission for the Amazon Redshift operations you want to schedule.
For the scheduler to use the `ResizeCluster` operation, add a permission that is similar to the following to your IAM policy. Depending on your environment, you might want to make the policy more restrictive.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "redshift:ResizeCluster",
"Resource": "*"
}
]
}
```
------
For the steps to create a role for the Amazon Redshift scheduler, see [Creating a role for an AWS service (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html#roles-creatingrole-service-console) in the *IAM User Guide*. Make these choices when you create a role in the IAM console:
+ For **Choose the service that will use this role**: Choose **Redshift**.
+ For **Select your use case**: Choose **Redshift - Scheduler**.
+ Create or attach a policy to the role that allows an Amazon Redshift operation to be scheduled. Choose **Create policy** or modify the role to attach a policy. Enter the JSON policy for the operation that is to be scheduled.
+ After you create the role, edit the **Trust Relationship** of the IAM role to include the service `redshift.amazonaws.com`.
The IAM role you create has trusted entities of `scheduler.redshift.amazonaws.com` and `redshift.amazonaws.com`. It also has an attached policy that allows a supported Amazon Redshift API action, such as, `"redshift:ResizeCluster"`.
## Permissions required to use the Amazon EventBridge scheduler
When you use the Amazon EventBridge scheduler, you set up an IAM role with a trust relationship to the EventBridge scheduler (**events.amazonaws.com**) to allow the scheduler to assume permissions on your behalf. You also attach a policy (permissions) to the role for the Amazon Redshift Data API operations that you want to schedule and a policy for Amazon EventBridge operations.
You use the EventBridge scheduler when you create scheduled queries with the Amazon Redshift query editor on the console.
You can create an IAM role to run scheduled queries on the IAM console. In this IAM role, attach `AmazonEventBridgeFullAccess` and `AmazonRedshiftDataFullAccess`.
The following example shows the policy document in JSON format to set up a trust relationship with the EventBridge scheduler.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"events.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
------
For more information about trust entities, see [Creating a role to delegate permissions to an AWS service](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html) in the *IAM User Guide*.
For the steps to create a role for the EventBridge scheduler, see [Creating a role for an AWS service (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html#roles-creatingrole-service-console) in the *IAM User Guide*. Make these choices when you create a role in the IAM console:
+ For **Choose the service that will use this role**: Choose **CloudWatch Events**.
+ For **Select your use case**: Choose **CloudWatch Events**.
+ Attach the following permission policies: `AmazonEventBridgeFullAccess` and `AmazonRedshiftDataFullAccess`.
The IAM role that you create has a trusted entity of `events.amazonaws.com`. It also has an attached policy that allows supported Amazon Redshift Data API actions, such as, `"redshift-data:*"`.
## Permissions required to use Amazon Redshift machine learning (ML)
Following, you can find a description of the permissions required to use Amazon Redshift machine learning (ML) for different use cases.
For your users to use Amazon Redshift ML with Amazon SageMaker AI, create an IAM role with a more restrictive policy than the default. You can use the policy following. You can also modify this policy to meet your needs.
The following policy shows the permissions required to run SageMaker AI Autopilot with model explainability from Amazon Redshift.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:CreateTrainingJob",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateCompilationJob",
"sagemaker:CreateEndpoint",
"sagemaker:DescribeAutoMLJob",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:ListCandidatesForAutoMLJob",
"sagemaker:StopAutoMLJob",
"sagemaker:StopCompilationJob",
"sagemaker:StopTrainingJob",
"sagemaker:DescribeEndpoint",
"sagemaker:InvokeEndpoint",
"sagemaker:StopProcessingJob",
"sagemaker:CreateModel",
"sagemaker:CreateProcessingJob"
],
"Resource": [
"arn:aws:sagemaker:*:*:model/*redshift*",
"arn:aws:sagemaker:*:*:training-job/*redshift*",
"arn:aws:sagemaker:*:*:automl-job/*redshift*",
"arn:aws:sagemaker:*:*:compilation-job/*redshift*",
"arn:aws:sagemaker:*:*:processing-job/*redshift*",
"arn:aws:sagemaker:*:*:transform-job/*redshift*",
"arn:aws:sagemaker:*:*:endpoint/*redshift*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/sagemaker/Endpoints/*redshift*",
"arn:aws:logs:*:*:log-group:/aws/sagemaker/ProcessingJobs/*redshift*",
"arn:aws:logs:*:*:log-group:/aws/sagemaker/TrainingJobs/*redshift*",
"arn:aws:logs:*:*:log-group:/aws/sagemaker/TransformJobs/*redshift*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": [
"SageMaker",
"/aws/sagemaker/Endpoints",
"/aws/sagemaker/ProcessingJobs",
"/aws/sagemaker/TrainingJobs",
"/aws/sagemaker/TransformJobs"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetEncryptionConfiguration",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
"s3:PutBucketAcl",
"s3:PutBucketCors",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::redshift-downloads",
"arn:aws:s3:::redshift-downloads/*",
"arn:aws:s3:::*redshift*",
"arn:aws:s3:::*redshift*/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetEncryptionConfiguration",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
"s3:PutBucketAcl",
"s3:PutBucketCors",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:CreateBucket"
],
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"s3:ExistingObjectTag/Redshift": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"redshift.amazonaws.com",
"sagemaker.amazonaws.com"
]
}
}
}
]
}
```
------
The following policy shows the full minimal permissions to allow access to Amazon DynamoDB, Redshift Spectrum and Amazon RDS federation.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:CreateTrainingJob",
"sagemaker:CreateAutoMLJob",
"sagemaker:CreateCompilationJob",
"sagemaker:CreateEndpoint",
"sagemaker:DescribeAutoMLJob",
"sagemaker:DescribeTrainingJob",
"sagemaker:DescribeCompilationJob",
"sagemaker:DescribeProcessingJob",
"sagemaker:DescribeTransformJob",
"sagemaker:ListCandidatesForAutoMLJob",
"sagemaker:StopAutoMLJob",
"sagemaker:StopCompilationJob",
"sagemaker:StopTrainingJob",
"sagemaker:DescribeEndpoint",
"sagemaker:InvokeEndpoint",
"sagemaker:StopProcessingJob",
"sagemaker:CreateModel",
"sagemaker:CreateProcessingJob"
],
"Resource": [
"arn:aws:sagemaker:*:*:model/*redshift*",
"arn:aws:sagemaker:*:*:training-job/*redshift*",
"arn:aws:sagemaker:*:*:automl-job/*redshift*",
"arn:aws:sagemaker:*:*:compilation-job/*redshift*",
"arn:aws:sagemaker:*:*:processing-job/*redshift*",
"arn:aws:sagemaker:*:*:transform-job/*redshift*",
"arn:aws:sagemaker:*:*:endpoint/*redshift*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/sagemaker/Endpoints/*redshift*",
"arn:aws:logs:*:*:log-group:/aws/sagemaker/ProcessingJobs/*redshift*",
"arn:aws:logs:*:*:log-group:/aws/sagemaker/TrainingJobs/*redshift*",
"arn:aws:logs:*:*:log-group:/aws/sagemaker/TransformJobs/*redshift*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": [
"SageMaker",
"/aws/sagemaker/Endpoints",
"/aws/sagemaker/ProcessingJobs",
"/aws/sagemaker/TrainingJobs",
"/aws/sagemaker/TransformJobs"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetEncryptionConfiguration",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
"s3:PutBucketAcl",
"s3:PutBucketCors",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::redshift-downloads",
"arn:aws:s3:::redshift-downloads/*",
"arn:aws:s3:::*redshift*",
"arn:aws:s3:::*redshift*/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetEncryptionConfiguration",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
"s3:PutBucketAcl",
"s3:PutBucketCors",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:CreateBucket"
],
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"s3:ExistingObjectTag/Redshift": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"dynamodb:Scan",
"dynamodb:DescribeTable",
"dynamodb:Getitem"
],
"Resource": [
"arn:aws:dynamodb:*:*:table/*redshift*",
"arn:aws:dynamodb:*:*:table/*redshift*/index/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticmapreduce:ListInstances"
],
"Resource": [
"arn:aws:elasticmapreduce:*:*:cluster/*redshift*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticmapreduce:ListInstances"
],
"Resource": "*",
"Condition": {
"StringEqualsIgnoreCase": {
"elasticmapreduce:ResourceTag/Redshift": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": "arn:aws:lambda:*:*:function:*redshift*"
},
{
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateTable",
"glue:DeleteTable",
"glue:BatchDeleteTable",
"glue:UpdateTable",
"glue:GetTable",
"glue:GetTables",
"glue:BatchCreatePartition",
"glue:CreatePartition",
"glue:DeletePartition",
"glue:BatchDeletePartition",
"glue:UpdatePartition",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition"
],
"Resource": [
"arn:aws:glue:*:*:table/*redshift*/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*redshift*"
]
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:*redshift*"
]
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword",
"secretsmanager:ListSecrets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/Redshift": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"redshift.amazonaws.com",
"glue.amazonaws.com",
"sagemaker.amazonaws.com",
"athena.amazonaws.com"
]
}
}
}
]
}
```
------
Optionally, to use a AWS KMS key for encryption, add the following permissions to the policy.
```
{
"Effect": "Allow",
"Action": [
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKey*"
],
"Resource": [
"arn:aws:kms:::key/"
]
}
```
To allow Amazon Redshift and SageMaker AI to assume the preceding IAM role to interact with other services, add the following trust policy to the role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"redshift.amazonaws.com",
"sagemaker.amazonaws.com",
"forecast.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
------
In the preceding, the Amazon S3 bucket `redshift-downloads/redshift-ml/` is the location where the sample data used for other steps and examples is stored. You can remove this bucket if you don't need to load data from Amazon S3. Or replace it with other Amazon S3 buckets that you use to load data into Amazon Redshift.
The **your-account-id**, **your-role**, and **your-s3-bucket** values are the account ID, role, and bucket that you specify in your CREATE MODEL command.
Optionally, you can use the AWS KMS keys section of the sample policy if you specify an AWS KMS key for use with Amazon Redshift ML. The **your-kms-key** value is the key that you use as part of your CREATE MODEL command.
When you specify a private virtual private cloud (VPC) for a hyperparameter tuning job, add the following permissions.
```
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:CreateNetworkInterfacePermission",
"ec2:DeleteNetworkInterface",
"ec2:DeleteNetworkInterfacePermission",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups"
]
}
```
To work with model explanation, make sure that you have the permissions to call SageMaker AI API operations. We recommend that you use the `AmazonSageMakerFullAccess` managed policy. If you want to create an IAM role with a more restrictive policy, use the policy following.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sagemaker:CreateEndpoint",
"sagemaker:CreateEndpointConfig",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteEndpointConfig",
"sagemaker:DescribeEndpoint",
"sagemaker:DescribeEndpointConfig",
"sagemaker:DescribeModel",
"sagemaker:InvokeEndpoint",
"sagemaker:ListTags"
],
"Resource": "*"
}
]
}
```
------
For more information about the `AmazonSageMakerFullAccess` managed policy, see [AmazonSageMakerFullAccess](https://docs.aws.amazon.com/sagemaker/latest/dg/security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonSageMakerFullAccess) in the *Amazon SageMaker AI Developer Guide*.
If you want to create Forecast models, we recommend that you use the `AmazonForecastFullAccess` managed policy. If you want to use a more restrictive policy, add the following policy to your IAM role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"forecast:CreateAutoPredictor",
"forecast:CreateDataset",
"forecast:CreateDatasetGroup",
"forecast:CreateDatasetImportJob",
"forecast:CreateForecast",
"forecast:CreateForecastExportJob",
"forecast:DeleteResourceTree",
"forecast:DescribeAutoPredictor",
"forecast:DescribeDataset",
"forecast:DescribeDatasetGroup",
"forecast:DescribeDatasetImportJob",
"forecast:DescribeForecast",
"forecast:DescribeForecastExportJob",
"forecast:StopResource",
"forecast:TagResource",
"forecast:UpdateDatasetGroup"
],
"Resource": "*"
}
]
}
```
------
If you want to create Amazon Bedrock models, we recommend that you use the `AmazonBedrockFullAccess` managed policy. If you want to use a more restrictive policy, add the following policy to your IAM role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "bedrock:InvokeModel",
"Resource": [
"*",
"arn:aws:bedrock:us-east-1::foundation-model/*"
]
}
]
}
```
------
For more information about Amazon Redshift ML, see [Using machine learning in Amazon Redshift](https://docs.aws.amazon.com/redshift/latest/dg/machine_learning.html), [CREATE MODEL](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_MODEL.html), or [CREATE EXTERNAL MODEL](https://docs.aws.amazon.com/redshift/latest/dg/r_create_external_model.html).
## Permissions for streaming ingestion
Streaming ingestion works with two services. These are Kinesis Data Streams and Amazon MSK.
### Permissions required to use streaming ingestion with Kinesis Data Streams
A procedure with a managed-policy example is available at [Getting started with streaming ingestion from Amazon Kinesis Data Streams](https://docs.aws.amazon.com/redshift/latest/dg/materialized-view-streaming-ingestion-getting-started.html).
### Permissions required to use streaming ingestion with Amazon MSK
A procedure with a managed-policy example is available at [Getting started with streaming ingestion from Amazon Managed Streaming for Apache Kafka](https://docs.aws.amazon.com/redshift/latest/dg/materialized-view-streaming-ingestion-getting-started-MSK.html).
## Permissions required to use the data sharing API operations
To control access to the data sharing API operations, use IAM action-based policies. For information about how to manage IAM policies, see [Managing IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage.html) in the *IAM User Guide*.
In particular, suppose that a producer cluster administrator needs to use the `AuthorizeDataShare` call to authorize egress for a datashare outside of an AWS account. In this case, you set up an IAM action-based policy to grant this permission. Use the `DeauthorizeDataShare` call to revoke egress.
When using IAM action-based policies, you can also specify an IAM resource in the policy, such as `DataShareARN`. The following shows the format and an example for `DataShareARN`.
```
arn:aws:redshift:region:account-id:datashare:namespace-guid/datashare-name
arn:aws:redshift:us-east-1:555555555555:datashare:86b5169f-01dc-4a6f-9fbb-e2e24359e9a8/SalesShare
```
You can restrict `AuthorizeDataShare` access to a specific datashare by specifying the datashare name in the IAM policy.
```
{
"Statement": [
{
"Action": [
"redshift:AuthorizeDataShare",
],
"Resource": [
"arn:aws:redshift:us-east-1:555555555555:datashare:86b5169f-01dc-4a6f-9fbb-e2e24359e9a8/SalesShare"
],
"Effect": "Deny"
}
]
}
```
You can also restrict the IAM policy to all datashares owned by a specific producer cluster. To do this, replace the **datashare-name** value in the policy with a wildcard or an asterisk. Keep the cluster's `namespace-guid` value.
```
arn:aws:redshift:us-east-1:555555555555:datashare:86b5169f-01dc-4a6f-9fbb-e2e24359e9a8/*
```
Following is an IAM policy that prevents an entity from calling `AuthorizeDataShare` on the datashares owned by a specific producer cluster.
```
{
"Statement": [
{
"Action": [
"redshift:AuthorizeDataShare",
],
"Resource": [
"arn:aws:redshift:us-east-1:555555555555:datashare:86b5169f-01dc-4a6f-9fbb-e2e24359e9a8/*"
],
"Effect": "Deny"
}
]
}
```
`DataShareARN` restricts the access based on both the datashare name and the globally unique ID (GUID) for the owning cluster's namespace. It does this by specifying the name as an asterisk.
## Resource policies for GetClusterCredentials
To connect to a cluster database using a JDBC or ODBC connection with IAM database credentials, or to programmatically call the `GetClusterCredentials` action, you need permission to call the `redshift:GetClusterCredentials` action with access to a `dbuser` resource.
If you use a JDBC or ODBC connection, instead of `server` and `port` you can specify `cluster_id` and `region`, but to do so your policy must permit the `redshift:DescribeClusters` action with access to the `cluster` resource.
If you call `GetClusterCredentials` with the optional parameters `Autocreate`, `DbGroups`, and `DbName`, make sure to also allow the actions and permit access to the resources listed in the following table.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-identity-based.html)
For more information about resources, see [Amazon Redshift resources and operations](redshift-iam-access-control-overview.md#redshift-iam-accesscontrol.actions-and-resources).
You can also include the following conditions in your policy:
+ `redshift:DurationSeconds`
+ `redshift:DbName`
+ `redshift:DbUser`
**Important**
For SAML SSO integrations, you may be required to specify an IAM Policy using the `${redshift:DbUser}` variable. In those cases, we strongly recommend the use of a condition statement that ensures a caller cannot obtain credentials for a user which does not match their AWS userid. E.g. `"StringEquals": {"aws:userid":"AIDIODR4TAW7CSEXAMPLE:${redshift:DbUser}"}"`. See [Example 8: IAM policy for using GetClusterCredentials](#redshift-policy-examples-getclustercredentials). For more information about conditions, see [Specifying conditions in a policy](redshift-iam-access-control-overview.md#redshift-policy-resources.specifying-conditions)
## Customer managed policy examples
In this section, you can find example user policies that grant permissions for various Amazon Redshift actions. These policies work when you are using the Amazon Redshift API, AWS SDKs, or the AWS CLI.
**Note**
All examples use the US West (Oregon) Region (`us-west-2`) and contain fictitious account IDs.
### Example 1: Allow user full access to all Amazon Redshift actions and resources
The following policy allows access to all Amazon Redshift actions on all resources.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"AllowRedshift",
"Action": [
"redshift:*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```
------
The value `redshift:*` in the `Action` element indicates all of the actions in Amazon Redshift.
### Example 2: Deny a user access to a set of Amazon Redshift actions
By default, all permissions are denied. However, sometimes you need to explicitly deny access to a specific action or set of actions. The following policy allows access to all the Amazon Redshift actions and explicitly denies access to any Amazon Redshift action where the name starts with `Delete`. This policy applies to all Amazon Redshift resources in `us-west-2`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"AllowUSWest2Region",
"Action": [
"redshift:*"
],
"Effect": "Allow",
"Resource": "arn:aws:redshift:us-east-1:111122223333:*"
},
{
"Sid":"DenyDeleteUSWest2Region",
"Action": [
"redshift:Delete*"
],
"Effect": "Deny",
"Resource": "arn:aws:redshift:us-east-1:111122223333:*"
}
]
}
```
------
### Example 3: Allow a user to manage clusters
The following policy allows a user to create, delete, modify, and reboot all clusters, and then denies permission to delete any clusters where the cluster name starts with `protected`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"AllowClusterManagement",
"Action": [
"redshift:CreateCluster",
"redshift:DeleteCluster",
"redshift:ModifyCluster",
"redshift:RebootCluster"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid":"DenyDeleteProtected",
"Action": [
"redshift:DeleteCluster"
],
"Resource": [
"arn:aws:redshift:us-west-2:123456789012:cluster:protected*"
],
"Effect": "Deny"
}
]
}
```
------
### Example 4: Allow a user to authorize and revoke snapshot access
The following policy allows a user, for example User A, to do the following:
+ Authorize access to any snapshot created from a cluster named `shared`.
+ Revoke snapshot access for any snapshot created from the `shared` cluster where the snapshot name starts with `revokable`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"AllowSharedSnapshots",
"Action": [
"redshift:AuthorizeSnapshotAccess"
],
"Resource": [
"arn:aws:redshift:us-west-2:123456789012:shared/*"
],
"Effect": "Allow"
},
{
"Sid":"AllowRevokableSnapshot",
"Action": [
"redshift:RevokeSnapshotAccess"
],
"Resource": [
"arn:aws:redshift:us-west-2:123456789012:snapshot:*/revokable*"
],
"Effect": "Allow"
}
]
}
```
------
If User A has allowed User B to access a snapshot, User B must have a policy such as the following to allow User B to restore a cluster from the snapshot. The following policy allows User B to describe and restore from snapshots, and to create clusters. The name of these clusters must start with `from-other-account`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"AllowDescribeSnapshots",
"Action": [
"redshift:DescribeClusterSnapshots"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Sid":"AllowUserRestoreFromSnapshot",
"Action": [
"redshift:RestoreFromClusterSnapshot"
],
"Resource": [
"arn:aws:redshift:us-west-2:123456789012:snapshot:*/*",
"arn:aws:redshift:us-west-2:444455556666:cluster:from-other-account*"
],
"Effect": "Allow"
}
]
}
```
------
### Example 5: Allow a user to copy a cluster snapshot and restore a cluster from a snapshot
The following policy allows a user to copy any snapshot created from the cluster named `big-cluster-1`, and restore any snapshot where the snapshot name starts with `snapshot-for-restore`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"AllowCopyClusterSnapshot",
"Action": [
"redshift:CopyClusterSnapshot"
],
"Resource": [
"arn:aws:redshift:us-west-2:123456789012:snapshot:big-cluster-1/*"
],
"Effect": "Allow"
},
{
"Sid":"AllowRestoreFromClusterSnapshot",
"Action": [
"redshift:RestoreFromClusterSnapshot"
],
"Resource": [
"arn:aws:redshift:us-west-2:123456789012:snapshot:*/snapshot-for-restore*",
"arn:aws:redshift:us-west-2:123456789012:cluster:*"
],
"Effect": "Allow"
}
]
}
```
------
### Example 6: Allow a user access to Amazon Redshift, and common actions and resources for related AWS services
The following example policy allows access to all actions and resources for Amazon Redshift, Amazon Simple Notification Service (Amazon SNS), and Amazon CloudWatch. It also allows specified actions on all related Amazon EC2 resources under the account.
**Note**
Resource-level permissions are not supported for the Amazon EC2 actions that are specified in this example policy.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"AllowRedshift",
"Effect": "Allow",
"Action": [
"redshift:*"
],
"Resource": [
"*"
]
},
{
"Sid":"AllowSNS",
"Effect": "Allow",
"Action": [
"sns:*"
],
"Resource": [
"*"
]
},
{
"Sid":"AllowCloudWatch",
"Effect": "Allow",
"Action": [
"cloudwatch:*"
],
"Resource": [
"*"
]
},
{
"Sid":"AllowEC2Actions",
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AttachNetworkInterface",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"Resource": [
"*"
]
}
]
}
```
------
### Example 7: Allow a user to tag resources with the Amazon Redshift console
The following example policy allows a user to tag resources with the Amazon Redshift console using the AWS Resource Groups. This policy can be attached to a user role that invokes the new or original Amazon Redshift console. For more information about tagging, see [Tag resources in Amazon Redshift](amazon-redshift-tagging.md).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"TaggingPermissions",
"Effect": "Allow",
"Action": [
"redshift:DeleteTags",
"redshift:CreateTags",
"redshift:DescribeTags",
"tag:UntagResources",
"tag:TagResources"
],
"Resource": "*"
}
]
}
```
------
## Example 8: IAM policy for using GetClusterCredentials
The following policy uses these sample parameter values:
+ Region: `us-west-2`
+ AWS Account: `123456789012`
+ Cluster name: `examplecluster`
The following policy enables the `GetCredentials`, `CreateClusterUser`, and `JoinGroup` actions. The policy uses condition keys to allow the `GetClusterCredentials` and `CreateClusterUser` actions only when the AWS user ID matches `"AIDIODR4TAW7CSEXAMPLE:${redshift:DbUser}@yourdomain.com"`. IAM access is requested for the `"testdb"` database only. The policy also allows users to join a group named `"common_group"`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid":"GetClusterCredsStatement",
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials"
],
"Resource": [
"arn:aws:redshift:us-west-2:123456789012:dbuser:examplecluster/${redshift:DbUser}",
"arn:aws:redshift:us-west-2:123456789012:dbname:examplecluster/testdb",
"arn:aws:redshift:us-west-2:123456789012:dbgroup:examplecluster/common_group"
],
"Condition": {
"StringEquals": {
"aws:userid":"AIDIODR4TAW7CSEXAMPLE:${redshift:DbUser}@yourdomain.com"
}
}
},
{
"Sid":"CreateClusterUserStatement",
"Effect": "Allow",
"Action": [
"redshift:CreateClusterUser"
],
"Resource": [
"arn:aws:redshift:us-west-2:123456789012:dbuser:examplecluster/${redshift:DbUser}"
],
"Condition": {
"StringEquals": {
"aws:userid":"AIDIODR4TAW7CSEXAMPLE:${redshift:DbUser}@yourdomain.com"
}
}
},
{
"Sid":"RedshiftJoinGroupStatement",
"Effect": "Allow",
"Action": [
"redshift:JoinGroup"
],
"Resource": [
"arn:aws:redshift:us-west-2:123456789012:dbgroup:examplecluster/common_group"
]
}
]
}
```
------
The following example shows a policy that allows the IAM role to call the `GetClusterCredentials` operation. Specifying the Amazon Redshift `dbuser` resource grants the role access to the database user name ` temp_creds_user` on the cluster named ` examplecluster`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "redshift:GetClusterCredentials",
"Resource": "arn:aws:redshift:us-west-2:123456789012:dbuser:examplecluster/temp_creds_user"
}
}
```
------
You can use a wildcard (\$1) to replace all, or a portion of, the cluster name, user name, and database group names. The following example allows any user name beginning with `temp_` with any cluster in the specified account.
**Important**
The statement in the following example specifies a wildcard character (\$1) as part of the value for the resource so that the policy permits any resource that begins with the specified characters. Using a wildcard character in your IAM policies might be overly permissive. As a best practice, we recommend using the most restrictive policy feasible for your business application.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "redshift:GetClusterCredentials",
"Resource": "arn:aws:redshift:us-west-2:123456789012:dbuser:*/temp_*"
}
}
```
------
The following example shows a policy that allows the IAM role to call the `GetClusterCredentials` operation with the option to automatically create a new user and specify groups the user joins at login. The `"Resource": "*" `clause grants the role access to any resource, including clusters, database users, or user groups.
**Important**
The statement in the following example specifies a wildcard character (\$1) as the resource for the given actions, so that the policy permits access to any cluster and database users, and allows creating any user. Using a wildcard character in your IAM policies might be overly permissive. As a best practice, we recommend using the most restrictive policy feasible for your business application.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials",
"redshift:CreateClusterUser",
"redshift:JoinGroup"
],
"Resource": "*"
}
}
```
------
For more information, see [Amazon Redshift ARN syntax](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-redshift).
# Native identity provider (IdP) federation for Amazon Redshift
Managing identities and permissions for Amazon Redshift is made easier with native identity provider federation because it leverages your existing identity provider to simplify authentication and managing permissions. It does this by making it possible to share identity metadata to Redshift from your identity provider. For the first iteration of this feature, the supported identity provider is [Microsoft Azure Active Directory (Azure AD)](https://azure.microsoft.com/en-us/services/active-directory/).
To configure Amazon Redshift so it can authenticate identities from the third-party identity provider, you register the identity provider with Amazon Redshift. Doing this enables Redshift to authenticate users and roles defined by the identity provider. Thus you can avoid having to perform granular identity management in both your third-party identity provider and in Amazon Redshift, because identity information is shared.
For information about using session roles that are transferred from identity provider (IdP) groups, see [PG\$1GET\$1SESSION\$1ROLES](https://docs.aws.amazon.com/redshift/latest/dg/PG_GET_SESSION_ROLES.html) in the *Amazon Redshift Database Developer Guide*.
## Native identity provider (IdP) federation
To complete the preliminary setup between the identity provider and Amazon Redshift, you perform a couple of steps: First, you register Amazon Redshift as a third-party application with your identity provider, requesting the necessary API permissions. Then you create users and groups in the identity provider. Last, you register the identity provider with Amazon Redshift, using SQL statements, which set authentication parameters that are unique to the identity provider. As part of registering the identity provider with Redshift, you assign a namespace to make sure users and roles are grouped correctly.
With the identity provider registered with Amazon Redshift, communication is set up between Redshift and the identity provider. A client can then pass tokens and authenticate to Redshift as an identity provider entity. Amazon Redshift uses the IdP group membership information to map to Redshift roles. If the user doesn't previously exist in Redshift, the user is created. Roles are created that map to identity provider groups, if they don't exist. The Amazon Redshift administrator grants permission on the roles, and users can run queries and perform other database tasks.
The following steps outline how native identity provider federation works, when a user logs in:
1. When a user logs in using the native IdP option, from the client, the identity provider token is sent from the client to the driver.
1. The user is authenticated. If the user doesn't already exist in Amazon Redshift, a new user is created. Redshift maps the user's identity provider groups to Redshift roles.
1. Permissions are assigned, based on the user's Redshift roles. These are granted to users and roles by an administrator.
1. The user can query Redshift.
## Desktop client tools
For instructions on how to use native identity provider federation to connect to Amazon Redshift with Power BI, see the blog post [Integrate Amazon Redshift native IdP federation with Microsoft Azure Active Directory (AD) and Power BI](https://aws.amazon.com/blogs/big-data/integrate-amazon-redshift-native-idp-federation-with-microsoft-azure-ad-and-power-bi/). It describes a step-by-step implementation of the Amazon Redshift native IdP setup with Azure AD. It details the steps to set up the client connection for either Power BI Desktop or the Power BI service. The steps include application registration, configuring permissions, and configuring credentials.
To learn how to integrate Amazon Redshift native IdP federation with Azure AD, using Power BI Desktop and JDBC Client-SQL Workbench/J, watch the following video:
[](http://www.youtube.com/watch?v=https://www.youtube.com/embed/S3MQLvZ-NiI)
For instructions on how to use native identity provider federation to connect to Amazon Redshift with a SQL client, specifically DBeaver or SQL Workbench/J, see the blog post [Integrate Amazon Redshift native IdP federation with Microsoft Azure AD using a SQL client](https://aws.amazon.com/blogs/big-data/integrate-amazon-redshift-native-idp-federation-with-microsoft-azure-ad-using-a-sql-client/).
## Limitations
These limitations apply:
+ Amazon Redshift drivers support `BrowserIdcAuthPlugin` starting from the following versions:
+ Amazon Redshift JDBC driver v2.1.0.30
+ Amazon Redshift ODBC driver v2.1.3
+ Amazon Redshift Python driver v2.1.3
+ Amazon Redshift drivers support `IdpTokenAuthPlugin` starting from the following versions:
+ Amazon Redshift JDBC driver v2.1.0.19
+ Amazon Redshift ODBC driver v2.0.0.9
+ Amazon Redshift Python driver v2.0.914
+ **No support for enhanced VPC** – Enhanced VPC isn't supported when you configure Redshift trusted identity propagation with AWS IAM Identity Center. For more information about enhanced VPC, see [Enhanced VPC routing in Amazon Redshift](https://docs.aws.amazon.com/redshift/latest/mgmt/enhanced-vpc-routing.html).
+ **AWS IAM Identity Center caching** – AWS IAM Identity Center caches session information. This might cause unpredictable access issues when you attempt to connect to your Redshift database via Redshift query editor v2. This is because the associated AWS IAM Identity Center session in query editor v2 remains valid, even in a case where the database user is signed out of the AWS console. The cache expires after one hour, which typically remediates any issues.
# Setting up the identity provider on Amazon Redshift
This section shows the steps to configure the identity provider and Amazon Redshift to establish communication for native identity provider federation. You need an active account with your identity provider. Prior to configuring Amazon Redshift, you register Redshift as an application with your identity provider, granting administrator consent.
Complete the following steps in Amazon Redshift:
1. You run a SQL statement to register the identity provider, including descriptions of the Azure application metadata. To create the identity provider in Amazon Redshift, run the following command after replacing the parameter values *issuer*, *client\$1id*, *client\$1secret*, and *audience*. These parameters are specific to Microsoft Azure AD. Replace the identity provider name with a name of your choosing, and replace the namespace with a unique name to contain users and roles from your identity provider directory.
```
CREATE IDENTITY PROVIDER oauth_standard TYPE azure
NAMESPACE 'aad'
PARAMETERS '{
"issuer":"https://sts.windows.net/2sdfdsf-d475-420d-b5ac-667adad7c702/",
"client_id":"",
"client_secret":"BUAH~ewrqewrqwerUUY^%tHe1oNZShoiU7",
"audience":["https://analysis.windows.net/powerbi/connector/AmazonRedshift"]
}'
```
The type `azure` indicates that the provider specifically facilitates communication with Microsoft Azure AD. This is currently the only supported third-party identity provider.
+ *issuer* - The issuer ID to trust when a token is received. The unique identifier for the *tenant\$1id* is appended to the issuer.
+ *client\$1id* - The unique, public identifier of the application registered with the identity provider. This can be referred to as the application ID.
+ *client\$1secret* - A secret identifier, or password, known only to the identity provider and the registered application.
+ *audience* - The Application ID that is assigned to the application in Azure.
Instead of using a shared client secret, you can set parameters to specify a certificate, a private key, and a private key password when you create the identity provider.
```
CREATE IDENTITY PROVIDER example_idp TYPE azure
NAMESPACE 'example_aad'
PARAMETERS '{"issuer":"https://sts.windows.net/2sdfdsf-d475-420d-b5ac-667adad7c702/",
"client_id":"",
"audience":["https://analysis.windows.net/powerbi/connector/AmazonRedshift"],
"client_x5t":"",
"client_pk_base64":"",
"client_pk_password":"test_password"}';
```
The private key password, *client\$1pk\$1password*, is optional.
1. Optional: Run SQL commands in Amazon Redshift to pre-create users and roles. This facilitates granting permissions in advance. The role name in Amazon Redshift is like the following: *:*. For example, when you create a group in Microsoft Azure AD called `rsgroup` and a namespace called `aad`, the role name is `aad:rsgroup`. The user and role names in Amazon Redshift are defined from these user names and group memberships in the identity provider namespace.
The mapping for roles and users includes verifying their `external_id` value, to ensure it's up to date. The external ID maps to the identifier of the group or user in the identity provider. For example, a role's external ID maps to the corresponding Azure AD group ID. Similarly, each user's external ID maps to their ID in the identity provider.
```
create role "aad:rsgroup";
```
1. Grant relevant permissions to roles per your requirements. For example:
```
GRANT SELECT on all tables in schema public to role "aad:rsgroup";
```
1. You can also grant permissions to a specific user.
```
GRANT SELECT on table foo to aad:alice@example.com
```
Note that a federated external user's role membership is available only in that user's session. This has implications for creating database objects. When a federated external user creates any view or stored procedure, for instance, the same user can't delegate permission of those objects to other users and roles.
**An explanation of namespaces**
A namespace maps a user or role to a specific identity provider. For example, the prefix for users created in AWS IAM is `iam:`. This prefix prevents user name collisions and makes support for multiple identity stores possible. If a user alice@example.com from the identity source registered with *aad* namespace logs in, the user `aad:alice@example.com` is created in Redshift if it doesn't already exist. Note that a user and role namespace has a different function than an Amazon Redshift cluster namespace, which is a unique identifier associated with a cluster.
# Automatically creating Amazon Redshift roles for identity providers
This feature allows you to automatically create roles in Redshift based on group membership from your Identity Provider (IdP). Auto-creating roles supports the Azure Active Directory with the native IdP integration.
There are several benefits to auto-creating roles. When you auto-create a role, Redshift creates the role with group membership in your IdP, so you can avoid tedious manual role creation and maintenance. You also have the option to filter which groups are mapped to Redshift roles.
## How it works
When you, as an IdP user, log into Redshift, the following sequence of events happen:
1. Redshift retrieves your group memberships from the IdP.
1. Redshift automatically creates roles mapping to those groups, with the role format `idp_namespace:rolename`.
1. Redshift grants you permissions with the mapped roles.
Upon each user login, each group that's not present in catalog but that the user is part of, is auto-created. You can optionally set include and exclude filters to control which IdP groups have Redshift roles created.
## Configuring auto-create roles
Use the `CREATE IDENTITY PROVIDER` and `ALTER IDENTITY PROVIDER` commands to enable and configure automatic role creation.
```
-- Create a new IdP with auto role creation enabled
CREATE IDENTITY PROVIDER TYPE azure
NAMESPACE ''
APPLICATION_ARN 'app_arn'
IAM_ROLE 'role_arn'
AUTO_CREATE_ROLES TRUE;
-- Enable on existing IdP
ALTER IDENTITY PROVIDER
AUTO_CREATE_ROLES TRUE;
-- Disable
ALTER IDENTITY PROVIDER
AUTO_CREATE_ROLES FALSE;
```
## Filtering groups
You can optionally filter which IdP groups are mapped to Redshift roles using `INCLUDE` and `EXCLUDE` patterns. When patterns conflict, `EXCLUDE` takes precedence over `INCLUDE`.
```
-- Only create roles for groups with 'dev'
CREATE IDENTITY PROVIDER TYPE azure
...
AUTO_CREATE_ROLES TRUE
INCLUDE GROUPS LIKE '%dev%';
-- Exclude 'test' groups
ALTER IDENTITY PROVIDER
AUTO_CREATE_ROLES TRUE
EXCLUDE GROUPS LIKE '%test%';
```
## Examples
The following example shows how to turn on auto-create roles with no filtering.
```
CREATE IDENTITY PROVIDER prod_idc TYPE azure ...
AUTO_CREATE_ROLES TRUE;
```
The following example includes development groups and excludes test groups.
```
ALTER IDENTITY PROVIDER prod_idc
AUTO_CREATE_ROLES TRUE
INCLUDE GROUPS LIKE '%dev%'
EXCLUDE GROUPS LIKE '%test%';
```
## Best practices
Consider the following best practives when you enable auto-create for roles:
+ Use `INCLUDE` and `EXCLUDE` filters to control which groups get roles.
+ Periodically audit roles and clean up unused ones.
+ Leverage Redshift role hierarchies to simplify permission management.
# Connect Redshift with AWS IAM Identity Center for a single sign-on experience
You can manage user and group access to Amazon Redshift data warehouses through trusted-identity propagation.
[Trusted identity propagation](https://docs.aws.amazon.com//singlesignon/latest/userguide/trustedidentitypropagation-overview.html) is an AWS IAM Identity Center feature that administrators of connected AWS services can use to grant and audit access to service data. Access to this data is based on user attributes such as group associations. Setting up trusted identity propagation requires collaboration between the administrators of connected AWS services and the IAM Identity Center administrators. For more information, see [Prerequisites and considerations](https://docs.aws.amazon.com//singlesignon/latest/userguide/trustedidentitypropagation-overall-prerequisites.html).
To illustrate one end-to-end case, you can use an Amazon Quick dashboard or Amazon Redshift query editor v2 to access Redshift. Access in this case is based on AWS IAM Identity Center groups. Redshift can determine who a user is and their group memberships. AWS IAM Identity Center also makes it possible to connect and manage identities through a third-party identity provider (IdP) like Okta or PingOne.
After your administrator sets up the connection between Redshift and AWS IAM Identity Center, they can configure fine-grained access based on identity-provider groups to authorize user access to data.
**Important**
When you delete a user from an AWS IAM Identity Center or a connected identity provider (IdP) directory, the user is not automatically deleted from the Amazon Redshift catalog. To manually delete the user from the Amazon Redshift catalog, run the `DROP USER` command to fully delete the user that was removed from an AWS IAM Identity Center or IdP. For more information about how to drop a user, see [DROP USER](https://docs.aws.amazon.com/redshift/latest/dg/r_DROP_USER.html) in the *Amazon Redshift Database Developer Guide*.
## Benefits of Redshift integration with AWS IAM Identity Center
Using AWS IAM Identity Center with Redshift can benefit your organization in the following ways:
+ Dashboard authors in Amazon Quick can connect to Redshift data sources without having to re-enter passwords or requiring an administrator to set up IAM roles with complex permissions.
+ AWS IAM Identity Center provides a central location for your workforce users in AWS. You can create users and groups directly in AWS IAM Identity Center or connect existing users and groups that you manage in a standards-based identity provider like Okta, PingOne, or Microsoft Entra ID (Azure AD). AWS IAM Identity Center directs authentication to your chosen source of truth for users and groups, and it maintains a directory of users and groups for access by Redshift. For more information, see [Manage your identity source](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source.html) and [Supported identity providers](https://docs.aws.amazon.com/singlesignon/latest/userguide/supported-idps.html) in the *AWS IAM Identity Center User Guide*.
+ You can share one AWS IAM Identity Center instance with multiple Redshift clusters and workgroups with a simple auto-discovery and connect capability. This makes it fast to add clusters without the extra effort of configuring the AWS IAM Identity Center connection for each, and it ensures that all clusters and workgroups have a consistent view of users, their attributes, and groups. Note that your organization's AWS IAM Identity Center instance must be in the same region as any Redshift datashares you're connecting to.
+ Because user identities are known and logged along with data access, it's easier for you to meet compliance regulations through auditing user access in AWS CloudTrail.
## Administrator personas for connecting applications
The following are personas that are key to connecting analytics applications to the AWS IAM Identity Center managed application for Redshift:
+ **Application administrator** – Creates an application and configures which services it will enable identity-token exchanges with. This administrator also specifies which users or groups have access to the application.
+ **Data administrator** – Configures fine-grained access to data. Users and groups in AWS IAM Identity Center can map to specific permissions.
## Connecting to Amazon Redshift with AWS IAM Identity Center through Amazon Quick
The following shows how to use Quick to authenticate with Redshift when it's connected to and access is managed through AWS IAM Identity Center: [Authorizing connections from Quick to Amazon Redshift clusters](https://docs.aws.amazon.com/quick/latest/userguide/enabling-access-redshift.html). These steps apply to Amazon Redshift Serverless too.
## Connecting to Amazon Redshift with AWS IAM Identity Center through Amazon Redshift query editor v2
Upon completing the steps to set up an AWS IAM Identity Center connection with Redshift, the user can access the database and appropriate objects in the database through their AWS IAM Identity Center-based, namespace-prefixed identity. For more information about connecting to Redshift databases with query editor v2 sign-in, see [Querying a database using the query editor v2Querying a database using the Amazon Redshift query editor v2](query-editor-v2.md).
## Using AWS IAM Identity Center across multiple AWS Regions
Amazon Redshift supports AWS IAM Identity Center in multiple AWS Regions. You can extend AWS IAM Identity Center from your primary AWS Region to additional Regions for improved performance through proximity to users and reliability. When a new Region is added in AWS IAM Identity Center, you can create Redshift IAM Identity Center applications in the new Region without replicating identities from the primary Region. You can set up Amazon Redshift federated permissions using AWS IAM Identity Center in the new Region where you can enable row-level, column-level, and masking controls. For more details to get started with AWS IAM Identity Center in multiple Regions, see [Manage AWS IAM Identity Center in multiple AWS Regions](https://docs.aws.amazon.com/singlesignon/latest/userguide/multi-region-iam-identity-center.html) in the *AWS IAM Identity Center User Guide*.
## Limitations for connecting to Amazon Redshift with AWS IAM Identity Center
When using AWS IAM Identity Center single sign-on, consider the following limitation:
+ **No support for enhanced VPC** – Enhanced VPC isn't supported when you use AWS IAM Identity Center single sign-on for Amazon Redshift. For more information about enhanced VPC, see [Enhanced VPC routing in Amazon Redshift](https://docs.aws.amazon.com/redshift/latest/mgmt/enhanced-vpc-routing.html).
# Setting up AWS IAM Identity Center integration with Amazon Redshift
Your Amazon Redshift cluster administrator or Amazon Redshift Serverless administrator must perform several steps to configure Redshift as an AWS IAM Identity Center enabled application. This makes it so Redshift can discover and connect to AWS IAM Identity Center automatically to receive sign-in and user directory services. After this, when your Redshift administrator creates a cluster or workgroup, they can enable the new data warehouse to use AWS IAM Identity Center to manage database access.
The point of enabling Redshift as an AWS IAM Identity Center managed application is so you can control user and group permissions from within AWS IAM Identity Center, or from a third-party identity provider that's integrated with it. When your database users sign in to a Redshift database, for example an analyst or a data scientist, it checks their groups in AWS IAM Identity Center and these match up with role names in Redshift. In this manner, a group that defines the name for a Redshift database role can access a set of tables for sales analytics, for example. The sections that follow show how to set this up.
## Prerequisites
These are the prerequisites for integrating AWS IAM Identity Center with Amazon Redshift:
+ *Account configuration* – You must configure AWS IAM Identity Center in your AWS organization's management account if you plan to have cross-account use cases, or if you use Redshift clusters in different accounts with the same AWS IAM Identity Center instance. This includes configuring your identity source. For more information, see [Getting Started](https://docs.aws.amazon.com/singlesignon/latest/userguide/getting-started.html), [workforce identities](https://docs.aws.amazon.com/singlesignon/latest/userguide/identities.html), and [supported identity providers](https://docs.aws.amazon.com/singlesignon/latest/userguide/supported-idps.html) in the *AWS IAM Identity Center User Guide*. You must ensure that you have created users or groups in AWS IAM Identity Center, or synchronized users and groups from your identity source before you can assign them to data in Redshift.
**Note**
You have an option to use an account instance of AWS IAM Identity Center, provided that Redshift and AWS IAM Identity Center are in the same account. You can create this instance using a widget when you create and configure a Redshift cluster or workgroup.
+ *Configuring a trusted token issuer* – In some cases, you may need to use a trusted token issuer, which is an entity that can issue and verify trust tokens. Before you can do so, preliminary steps are required before the Redshift administrator who configures AWS IAM Identity Center integration can select the trusted token issuer and add the necessary attributes to complete the configuration. This can include configuring an external identity provider to serve as a trusted token issuer and adding its attributes in the AWS IAM Identity Center console. To complete these steps, see [Using applications with a trusted token issuer](https://docs.aws.amazon.com/singlesignon/latest/userguide/using-apps-with-trusted-token-issuer.html#setuptrustedtokenissuer).
**Note**
Setting up a trusted token issuer isn't required for all external connections. Connecting to your Redshift database with Amazon Redshift query editor v2 doesn't require trusted-token issuer configuration. But it can apply for third-party applications such as dashboards or custom applications that authenticate with your identity provider.
+ *Configuring an IAM role or roles* – The sections that follow mention permissions that must be configured. You will have to add permissions per IAM best practices. Specific permissions are detailed in the procedures that follow.
For more information, see [Getting Started with AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/get-started-enable-identity-center.html).
## Configuring your identity provider to work with AWS IAM Identity Center
The first step in controlling user and group identity management is to connect to AWS IAM Identity Center and configure your identity provider. You can use AWS IAM Identity Center itself as your identity provider, or you can connect a third-party identity store, such as Okta, for instance. For more information about setting up the connection to and configuring your identity provider, see [Connect to an external identity provider](https://docs.aws.amazon.com/singlesignon/latest/userguide/manage-your-identity-source-idp.html) in the *AWS IAM Identity Center user guide*. Make sure at the end of this process that you have a small collection of users and groups added to AWS IAM Identity Center, for test purposes.
### Administrative Permissions
#### Permissions required for Redshift/AWS IAM Identity Center application lifecycle management
You must create an IAM identity, which a Redshift administrator uses to configure Redshift for use with AWS IAM Identity Center. Most commonly, you would create an IAM role with permissions and assign it to other identities as required. It must have the permissions listed to perform the following actions.
**Creating the Redshift/AWS IAM Identity Center application**
+ `sso:PutApplicationAssignmentConfiguration` – For security.
+ `sso:CreateApplication` – Used to create an AWS IAM Identity Center application.
+ `sso:PutApplicationAuthenticationMethod` – Grants Redshift authentication access.
+ `sso:PutApplicationGrant` – Used to change the trusted token issuer information.
+ `sso:PutApplicationAccessScope` – For Redshift AWS IAM Identity Center application setup. This includes for AWS Lake Formation and for [Amazon S3 Access Grants](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants-get-started.html).
+ `redshift:CreateRedshiftIdcApplication` – Used to create the Redshift AWS IAM Identity Center application.
**Describing the Redshift/AWS IAM Identity Center application**
+ `sso:GetApplicationGrant` – Used to list trusted token issuer information.
+ `sso:ListApplicationAccessScopes` – For Redshift AWS IAM Identity Center application setup to list downstream integrations, such as for AWS Lake Formation and S3 Access Grants.
+ `redshift:DescribeRedshiftIdcApplications` – Used to describe existing AWS IAM Identity Center applications.
**Changing the Redshift/AWS IAM Identity Center application**
+ `redshift:ModifyRedshiftIdcApplication` – Used to change an existing Redshift application.
+ `sso:UpdateApplication` – Used to update an AWS IAM Identity Center application.
+ `sso:GetApplicationGrant` – Gets the trust token issuer information.
+ `sso:ListApplicationAccessScopes` – For Redshift AWS IAM Identity Center application setup.
+ `sso:DeleteApplicationGrant` – Deletes the trust token issuer information.
+ `sso:PutApplicationGrant` – Used to change the trusted token issuer information.
+ `sso:PutApplicationAccessScope` – For Redshift AWS IAM Identity Center application setup. This includes for AWS Lake Formation and for [Amazon S3 Access Grants](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants-get-started.html).
+ `sso:DeleteApplicationAccessScope` – For deleting Redshift AWS IAM Identity Center application setup. This includes for AWS Lake Formation and for [Amazon S3 Access Grants](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants-get-started.html).
**Deleting the Redshift/AWSIAM Identity Center application**
+ `sso:DeleteApplication` – Used to delete an AWS IAM Identity Center application.
+ `redshift:DeleteRedshiftIdcApplication` – Gives the ability to delete an existing Redshift AWS IAM Identity Center application.
#### Permissions required for Redshift/query editor v2 application lifecycle management
You must create an IAM identity, which a Redshift administrator uses to configure Redshift for use with AWS IAM Identity Center. Most commonly, you would create an IAM role with permissions and assign it to other identities as required. It must have the permissions listed to perform the following actions.
**Creating the query editor v2 application**
+ `redshift:CreateQev2IdcApplication` – Used to create the QEV2 application.
+ `sso:CreateApplication` – Gives the ability to create an AWS IAM Identity Center application.
+ `sso:PutApplicationAuthenticationMethod` – Grants Redshift authentication access.
+ `sso:PutApplicationGrant` – Used to change the trusted token issuer information.
+ `sso:PutApplicationAccessScope` – For Redshift AWS IAM Identity Center application setup. This includes query editor v2.
+ `sso:PutApplicationAssignmentConfiguration` – For security.
**Describe the query editor v2 application**
+ `redshift:DescribeQev2IdcApplications` – Used to describe the AWS IAM Identity Center QEV2 application.
**Change the query editor v2 application**
+ `redshift:ModifyQev2IdcApplication` – Used to change the AWS IAM Identity Center QEV2 application.
+ `sso:UpdateApplication` – Used to change the AWS IAM Identity Center QEV2 application.
**Delete the query editor v2 application**
+ `redshift:DeleteQev2IdcApplication` – Used to delete the QEV2 application.
+ `sso:DeleteApplication` – Used to delete the QEV2 application.
**Note**
In the Amazon Redshift SDK, the following APIs aren’t available:
CreateQev2IdcApplication
DescribeQev2IdcApplications
ModifyQev2IdcApplication
DeleteQev2IdcApplication
These actions are specific to performing AWS IAM Identity Center integration with Redshift QEV2 in the AWS console. For more information, see [Actions defined by Amazon Redshift](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshift.html#amazonredshift-actions-as-permissions).
#### Permissions required for the database administrator to connect new resources in the console
These permissions are required to connect new provisioned clusters or Amazon Redshift Serverless workgroups during the creation process. If you have these permissions, a selection appears in the console to choose to connect to the AWS IAM Identity Center managed application for Redshift.
+ `redshift:DescribeRedshiftIdcApplications`
+ `sso:ListApplicationAccessScopes`
+ `sso:GetApplicationAccessScope`
+ `sso:GetApplicationGrant`
As a best practice, we recommend attaching permissions policies to an IAM role and then assigning it to users and groups as needed. For more information, see [Identity and access management in Amazon Redshift](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-authentication-access-control.html).
## Setting up Redshift as an AWS managed application with AWS IAM Identity Center
Before AWS IAM Identity Center can manage identities for an Amazon Redshift provisioned cluster or an Amazon Redshift Serverless workgroup, the Redshift administrator must complete the steps to make Redshift an AWS IAM Identity Center managed application:
1. Select **AWS IAM Identity Center integration** in the Amazon Redshift or Amazon Redshift Serverless console menu, and then select **Connect to AWS IAM Identity Center**. From there you step through a series of selections to populate the properties for AWS IAM Identity Center integration.
1. Choose a display name and a unique name for Redshift's AWS IAM Identity Center-managed application.
1. Specify the namespace for your organization. This is typically an abbreviated version of your organization's name. It's added as a prefix for your AWS IAM Identity Center-managed users and roles in the Redshift database.
1. Select an IAM role to use. This IAM role should be separate from others used for Redshift, and we recommend that it isn't used for other purposes. The specific policy permissions required are the following:
+ `sso:DescribeApplication` – Required to create an identity provider (IdP) entry in the catalog.
+ `sso:DescribeInstance` – Used to manually create IdP federated roles or users.
1. Configure client connections and trusted token issuers. Configuring trusted token issuers facilitates trusted identity propagation by setting up a relationship with an external identity provider. Identity propagation makes it possible for a user, for example, to sign into one application and access specific data in another application. This allows users to gather data from disparate locations more seamlessly. At this step, in the console, you set attributes for each trusted token issuer. The attributes include the name and the audience claim (or *aud claim*), which you might have to get from the tool's or service's configuration attributes. You might also need to supply the application name from the third-party tool's JSON Web Token (JWT).
**Note**
The `aud claim` required from each third-party tool or service can vary, based on the token type, which can be an access token issued by an identity provider, or another type, like an ID token. Each vendor can be different. When you’re implementing trusted-identity propagation and integrating with Redshift, it’s required to supply the correct *aud* value for the token type that the third-party tool sends to AWS. Check the recommendations of your tool or service vendor.
For detailed information regarding trusted-identity propagation, see [Trusted identity propagation overview](https://docs.aws.amazon.com/singlesignon/latest/userguide/trustedidentitypropagation-overview.html) in the *AWS IAM Identity Center User Guide*.
After the Redshift administrator finishes the steps and saves the configuration, the AWS IAM Identity Center properties appear in the Redshift console. You can also query the system view [SVV\$1IDENTITY\$1PROVIDERS](https://docs.aws.amazon.com/redshift/latest/dg/r_SVV_IDENTITY_PROVIDERS.html) to verify the application's properties. These include the application name and the namespace. You use the namespace as a prefix for Redshift database objects that are associated with the application. Completing these tasks makes Redshift an AWS IAM Identity Center enabled application. The properties in the console include the integration status. It says **Enabled** when the integration is completed. After this process, AWS IAM Identity Center integration can be enabled on each new cluster.
After configuration, you can include users and groups from AWS IAM Identity Center in Redshift by choosing the **Users** or **Groups** tab and choosing **Assign**.
## Enabling AWS IAM Identity Center integration for a new Amazon Redshift cluster or Amazon Redshift Serverless workgroup
Your database administrator configures new Redshift resources to work in alignment with AWS IAM Identity Center to make sign-in and data access easier. This is performed as part of the steps to create a provisioned cluster or a Serverless workgroup. Anyone with permissions to create Redshift resources can perform these AWS IAM Identity Center integration tasks.When you create a provisioned cluster, you start by choosing **Create Cluster** in the Amazon Redshift console. The steps that follow show how to enable AWS IAM Identity Center management for a database. (It doesn't include all of the steps to create a cluster.)
1. Choose **Enable for ** in the section for **IAM Identity Center integration** in the create-cluster steps.
1. There's a step in the process when you enable integration. You do this by choosing **Enable IAM Identity Center integration** in the console.
1. For the new cluster or workgroup, create database roles in Redshift using SQL commands. The following is the command:
```
CREATE ROLE ;
```
The namespace and role name are the following:
+ *IAM Identity Center namespace prefix* – This is the namespace you defined when you set up the connection between AWS IAM Identity Center and Redshift.
+ *Role name* – This Redshift database role must match the group name in AWS IAM Identity Center.
Redshift connects with AWS IAM Identity Center and fetches the information needed to create and map the database role to the AWS IAM Identity Center group.
Note that when a new data warehouse is created, the IAM role specified for AWS IAM Identity Center integration is automatically attached to the provisioned cluster or Amazon Redshift Serverless workgroup. After you finish entering the required cluster metadata and create the resource, you can check the status for AWS IAM Identity Center integration in the properties. If your group names in AWS IAM Identity Center have spaces, it's required to use quotes in SQL when you create the matching role.
After you enable the Redshift database and create roles, you are ready to connect to the database with Amazon Redshift query editor v2 or Amazon Quick. The details are explained further in sections that follow.
### Setting up the default `RedshiftIdcApplication` using the API
Setup is performed by your identity administrator. Using the API, you create and populate a `RedshiftIdcApplication`, which represents the Redshift application within AWS IAM Identity Center.
1. To start, you can create users and add them to groups in AWS IAM Identity Center. You do this in the AWS console for AWS IAM Identity Center.
1. Call `create-redshift-idc-application` to create an AWS IAM Identity Center application and make it compatible with Redshift usage. You create the application by populating the required values. The display name is the name to display on the AWS IAM Identity Center dashboard. The IAM role ARN is an ARN that has permissions to AWS IAM Identity Center and is also assumable by Redshift.
```
aws redshift create-redshift-idc-application
––idc-instance-arn 'arn:aws:sso:::instance/ssoins-1234a01a1b12345d'
––identity-namespace 'MYCO'
––idc-display-name 'TEST-NEW-APPLICATION'
––iam-role-arn 'arn:aws:redshift:us-east-1:012345678901:role/TestRedshiftRole'
––redshift-idc-application-name 'myredshiftidcapplication'
```
The following example shows a sample `RedshiftIdcApplication` response that's returned from the call to `create-redshift-idc-application`.
```
"RedshiftIdcApplication": {
"IdcInstanceArn": "arn:aws:sso:::instance/ssoins-1234a01a1b12345d",
"RedshiftIdcApplicationName": "test-application-1",
"RedshiftIdcApplicationArn": "arn:aws:redshift:us-east-1:012345678901:redshiftidcapplication:12aaa111-3ab2-3ab1-8e90-b2d72aea588b",
"IdentityNamespace": "MYCO",
"IdcDisplayName": "Redshift-Idc-Application",
"IamRoleArn": "arn:aws:redshift:us-east-1:012345678901:role/TestRedshiftRole",
"IdcManagedApplicationArn": "arn:aws:sso::012345678901:application/ssoins-1234a01a1b12345d/apl-12345678910",
"IdcOnboardStatus": "arn:aws:redshift:us-east-1:123461817589:redshiftidcapplication",
"RedshiftIdcApplicationArn": "Completed",
"AuthorizedTokenIssuerList": [
"TrustedTokenIssuerArn": ...,
"AuthorizedAudiencesList": [...]...
]}
```
1. You can use `create-application-assignment` to assign particular groups or individual users to the managed application in AWS IAM Identity Center. By doing this, you can specify groups to manage through AWS IAM Identity Center. If the database administrator creates database roles in Redshift, group names in AWS IAM Identity Center map to the role names in Redshift. The roles control permissions in the database. For more information, see [Assign user access to applications in the AWS IAM Identity Center console](https://docs.aws.amazon.com/singlesignon/latest/userguide/assignuserstoapp.html).
1. After you enable the application, call `create-cluster` and include the Redshift managed application ARN from AWS IAM Identity Center. Doing this associates the cluster with the managed application in AWS IAM Identity Center.
### Associating an AWS IAM Identity Center application with an existing cluster or workgroup
If you have an existing cluster or workgroup that you would like to enable for AWS IAM Identity Center integration, it is possible to do so, running SQL commands. You can also run SQL commands to change settings for the integration. For more information, see [ALTER IDENTITY PROVIDER](https://docs.aws.amazon.com/redshift/latest/dg/r_ALTER_IDENTITY_PROVIDER.html).
It's also possible to drop an existing identity provider. The following example shows how CASCADE deletes users and roles attached to the identity provider.
```
DROP IDENTITY PROVIDER
[ CASCADE ]
```
## Setting up user permissions
An administrator configures permissions to various resources, based on users' identity attributes and group memberships, within their identity provider or within AWS IAM Identity Center directly.For example, the identity-provider administrator can add a database engineer to a group appropriate to their role. This group name maps to a Redshift database role name. The role provides or restricts access to specific tables or views in Redshift.
# Automatically creating Amazon Redshift roles for AWS IAM Identity Center
This feature is an integration with AWS IAM Identity Center that allows you to automatically create roles in Redshift based on group membership.
There are several benefits to auto-creating roles. When you auto-create a role, Redshift creates the role with group membership in your IdP, so you can avoid tedious manual role creation and maintenance. You also have the option to filter which groups are mapped to Redshift roles with include and exclude patterns.
## How it works
When you, as an IdP user, log into Redshift, the following sequence of events happen:
1. Redshift retrieves your group memberships from the IdP.
1. Redshift automatically creates roles mapping to those groups, with the role format `idp_namespace:rolename`.
1. Redshift grants you permissions with the mapped roles.
Upon each user login, each group that's not present in catalog but that the user is part of, is auto-created. You can optionally set include and exclude filters to control which IdP groups have Redshift roles created.
## Configuring auto-create roles
Use the `CREATE IDENTITY PROVIDER` and `ALTER IDENTITY PROVIDER` commands to enable and configure automatic role creation.
```
-- Create a new IdP with auto role creation enabled
CREATE IDENTITY PROVIDER TYPE AWSIDC
NAMESPACE ''
APPLICATION_ARN 'app_arn'
IAM_ROLE 'role_arn'
AUTO_CREATE_ROLES TRUE;
-- Enable on existing IdP
ALTER IDENTITY PROVIDER
AUTO_CREATE_ROLES TRUE;
-- Disable
ALTER IDENTITY PROVIDER
AUTO_CREATE_ROLES FALSE;
```
## Filtering groups
You can optionally filter which IdP groups are mapped to Redshift roles using `INCLUDE` and `EXCLUDE` patterns. When patterns conflict, `EXCLUDE` takes precedence over `INCLUDE`.
```
-- Only create roles for groups with 'dev'
CREATE IDENTITY PROVIDER TYPE AWSIDC
...
AUTO_CREATE_ROLES TRUE
INCLUDE GROUPS LIKE '%dev%';
-- Exclude 'test' groups
ALTER IDENTITY PROVIDER
AUTO_CREATE_ROLES TRUE
EXCLUDE GROUPS LIKE '%test%';
```
## Examples
The following example shows how to turn on auto-create roles with no filtering.
```
CREATE IDENTITY PROVIDER prod_idc TYPE AWSIDC ...
AUTO_CREATE_ROLES TRUE;
```
The following example includes development groups and excludes test groups.
```
ALTER IDENTITY PROVIDER prod_idc
AUTO_CREATE_ROLES TRUE
INCLUDE GROUPS LIKE '%dev%'
EXCLUDE GROUPS LIKE '%test%';
```
## Best practices
Consider the following best practives when you enable auto-create for roles:
+ Use `INCLUDE` and `EXCLUDE` filters to control which groups get roles.
+ Periodically audit roles and clean up unused ones.
+ Leverage Redshift role hierarchies to simplify permission management.
# Amazon Redshift Integration with Amazon S3 Access Grants
Using integration with Amazon S3 Access Grants, you can seamlessly propagate your IAM Identity Center identities to control access to Amazon S3 data. This integration lets you authorize Amazon S3 data access based on IAM Identity Center users and groups.
For information about Amazon S3 Access Grants, see [Managing access with S3 Access Grants](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants.html).
Using Amazon S3 Access Grants gives your application the following benefits:
+ Fine-grained access control to Amazon S3 data, based on IAM Identity Center identities.
+ Centralized management of IAM Identity Center identities across Amazon Redshift and Amazon S3.
+ You can avoid managing separate IAM permissions for Amazon S3 access.
## How it works
To integrate your application with Amazon S3 access grants, you do the following:
+ First, you configure Amazon Redshift to integrate with Amazon S3 Access Grants using the AWS Management Console or AWS CLI.
+ Next, a user with IdC administrator privileges grants Amazon S3 bucket or prefix access to specific IdC users/groups, using the Amazon S3 Access Grants service. For more information, see [ Working with grants in S3 Access Grants](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-grants-grant.html).
+ When an IdC user authenticated to Redshift runs a query accessing S3 (such as a COPY, UNLOAD, or Spectrum operation), Amazon Redshift retrieves temporary S3 access credentials scoped to that IdC identity from the Amazon S3 Access Grants service.
+ Amazon Redshift then uses the retrieved temporary credentials to access the authorized Amazon S3 locations for that query.
## Setting up integration with Amazon S3 Access Grants
To set up integration with integration with Amazon S3 Access Grants for Amazon Redshift, do the following:
**Topics**
+ [Setting up integration with Amazon S3 Access Grants using the AWS Management Console](#redshift-iam-access-control-sso-s3idc-setup-console)
+ [Enabling integration with Amazon S3 Access Grants using the AWS CLI](#redshift-iam-access-control-sso-s3idc-setup-cli)
### Setting up integration with Amazon S3 Access Grants using the AWS Management Console
1. Open the Amazon Redshift console.
1. Choose your cluster from the **Clusters** pane.
1. In your cluster's details page, in the **Identity provider integration** section, enable integration with the **S3 Access Grants** service.
**Note**
The **Identity provider integration** section doesn't appear if you don't have IAM Identity Center configured. For more information, see [ Enabling AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/get-set-up-for-idc.html).
### Enabling integration with Amazon S3 Access Grants using the AWS CLI
1. To create a new Amazon Redshift IdC application with S3 integration enabled, do the following:
```
aws redshift create-redshift-idc-application
--service-integrations '[ {"S3AccessGrants": [{"ReadWriteAccess": {"Authorization": "Enabled"}}]} ]'
```
1. To modify an existing application to enable S3 Access Grants integration, do the following:
```
aws redshift modify-redshift-idc-application
--service-integrations '[ {"S3AccessGrants": [{"ReadWriteAccess": {"Authorization": "Enabled"}}]} ]'
```
1. To modify an existing application to disable S3 Access Grants integration, do the following:
```
aws redshift modify-redshift-idc-application
--service-integrations '[ {"S3AccessGrants": [{"ReadWriteAccess": {"Authorization": "Disabled"}}]} ]'
```
## Using integration with S3 Access Grants
After you configure S3 Access Grants integration, queries that access S3 data (such as `COPY`, `UNLOAD`, or Spectrum queries) use the IdC identity for authorization. Users who are not authenticated using IdC can also run these queries, but those user accounts don't take advantage of the centralized administration that IdC provides.
The following example shows queries that run with S3 Access Grants integration:
```
COPY table FROM 's3://mybucket/data'; // -- Redshift uses IdC identity
UNLOAD ('SELECT * FROM table') TO 's3://mybucket/unloaded/' // -- Redshift uses IdC identity
```
# Querying data through AWS Lake Formation
Using AWS Lake Formation makes it easier to centrally govern and secure your data lake, and to provide data access. Configuring identity propagation to Lake Formation through AWS IAM Identity Center and Redshift makes it so an administrator can allow fine-grained access to an Amazon S3 data lake, based on the organization's identity-provider (IdP) groups. These groups are managed through AWS IAM Identity Center. This section shows how to configure a couple use cases, querying from a data lake and querying from a data share, that demonstrate how to leverage AWS IAM Identity Center with Redshift to connect to Lake Formation-governed resources.
## Using an AWS IAM Identity Center and Redshift connection to query a data lake
These steps cover a use case where you use AWS IAM Identity Center connected to Redshift to query a data lake that's governed by Lake Formation.
**Prerequisites**
This procedure has several prerequisite steps:
1. AWS IAM Identity Center must be set up to support authentication and identity management with Redshift. You can enable AWS IAM Identity Center from the console and select an identity-provider (IdP) source. After this, synchronize a set of your IdP users with AWS IAM Identity Center. You must also set up a connection between AWS IAM Identity Center and Redshift, following the steps detailed previously in this document.
1. Create a new Amazon Redshift cluster and enable identity management through AWS IAM Identity Center in the configuration steps.
1. Create a managed AWS IAM Identity Center application for Lake Formation and configure it. This follows setting up the connection between AWS IAM Identity Center and Redshift. The steps are the following:
1. In the AWS CLI, use the `modify-redshift-idc-application` command to enable the Lake Formation service integration with the AWS IAM Identity Center managed application for Redshift. This call includes the `service-integrations` parameter, which is set to a configuration string value that enables authorization to Lake Formation.
1. Configure Lake Formation by using the `create-lake-formation-identity-center-configuration` command. This creates an AWS IAM Identity Center application for Lake Formation, which is visible in the AWS IAM Identity Center portal. The administrator must set the `––cli-input-json` argument, whose value is the path to a JSON file that uses the standard format for all AWS CLI API calls. You must include values for the following:
+ `CatalogId` – The Lake Formation catalog ID.
+ `InstanceArn` – The AWS IAM Identity Center instance ARN value.
After the administrator completes the prerequisite configuration, the database administrator can create an external schema for the purpose of querying the data lake.
1. **The administrator creates the external schema** – The Redshift database administrator connects to the database and creates an external schema, using the following SQL statement:
```
CREATE EXTERNAL SCHEMA if not exists my_external_schema from DATA CATALOG database 'my_lf_integrated_db' catalog_id '12345678901234';
```
Note that specifying an IAM role isn't required in this case, because access is managed through AWS IAM Identity Center.
1. **The administrator grants permissions** – The administrator grants usage to an AWS IAM Identity Center group, which grants permissions on Redshift resources. This is done by running a SQL statement like the following:
```
GRANT USAGE ON SCHEMA "my_external_schema" to "MYCO:sales";
```
Subsequently, the administrator grants Lake Formation permissions on objects, based on requirements for the organization, using the AWS CLI:
```
aws lakeformation grant-permissions ...
```
1. **Users run queries** – At this point, an AWS IAM Identity Center user that's part of the sales group, for illustration purposes, can log in via query editor v2 to the Redshift database. Then they can run a query that accesses a table in the external schema, like the following sample:
```
SELECT * from my_external_schema.table1;
```
## Using an AWS IAM Identity Center and Redshift connection to connect to a datashare
You can access a datashare from a different Redshift data warehouse when access is managed through AWS IAM Identity Center. To do this, you run a query to set up an external database. Prior to completing these steps, it's assumed that you have a connection set up between Redshift and AWS IAM Identity Center, and you've created the AWS Lake Formation application, as detailed in the previous procedure.
1. **Creating the external database** – The administrator creates an external database for data sharing, referencing it through its ARN. The following is a sample that shows how to do it:
```
CREATE DATABASE "redshift_external_db" FROM ARN 'arn:aws:glue:us-east-1:123456789012:database/redshift_external_db-iad' WITH NO DATA CATALOG SCHEMA;
```
In this use case, where you are using AWS IAM Identity Center with Redshift for identity management, the IAM role isn't included.
1. **The admin sets up permissions** – After creating a database, the administrator grants usage to an AWS IAM Identity Center group. This grants permissions on Redshift resources:
```
GRANT USAGE ON DATABASE "my_external_db" to "MYCO:sales";
```
The administrator also grants Lake Formation permissions on objects, using the AWS CLI:
```
aws lakeformation grant-permissions ...
```
1. **Users run queries** – A user from the sales group can query a table in the database, based on the permissions assigned:
```
select * from redshift_external_db.public.employees;
```
For more information about granting permissions on a data lake and granting permissions on data shares, see [Granting permissions to users and groups](https://docs.aws.amazon.com/lake-formation/latest/dg/grant-permissions-sso.html). For more information about granting usage to a schema or to a database, see [GRANT](https://docs.aws.amazon.com/redshift/latest/dg/r_GRANT.html).
# Integrating your application or tool with OAuth using a trusted token issuer
You can add functionality to client tools you create to connect to Redshift by means of the AWS IAM Identity Center connection. If you already configured Redshift integration to AWS IAM Identity Center, use the properties detailed in this section to set up a connection.
## Authentication plugin for connecting to Redshift using AWS IAM Identity Center
You can use AWS IAM Identity Center to connect to Amazon Redshift using the following driver plugins:
+ `BrowserIdcAuthPlugin` – This plugin facilitates seamless single-sign-on integration with AWS IAM Identity Center. It creates a browser window for users to sign in with the user credentials defined in their corporate identity providers.
+ `IdpTokenAuthPlugin` – This plugin should be used by applications that want to manage the authentication flow on their own, instead of letting the Amazon Redshift driver open a browser window for AWS IAM Identity Center authentication. It accepts an AWS IAM Identity Center vended Access token or an OpenID Connect (OIDC) JSON web token (JWT) from any web identity provider that’s connected with AWS IAM Identity Center, such as Okta, PingOne, and Microsoft Entra ID (Azure AD). The client application is responsible for generating this required access token/JWT.
### Authenticating with `BrowserIdcAuthPlugin`
Use the following plugin names to connect using `BrowserIdcAuthPlugin`, depending on your Amazon Redshift driver.
| Driver | Connection option key | Value | Notes |
| --- | --- | --- | --- |
| JDBC | `plugin_name` | com.amazon.redshift.plugin.BrowserIdcAuthPlugin | You must enter the fully-qualified class name of the plugin when you connect. |
| ODBC | `plugin_name` | BrowserIdcAuthPlugin | |
| Python | `credentials_provider` | BrowserIdcAuthPlugin | There is no `plugin_name` option available for the Python driver. Instead, use `credentials_provider`. |
The `BrowserIdcAuthPlugin` plugin has the following additional connection options:
| Option name | Required? | Description | Example |
| --- | --- | --- | --- |
| idc\$1region | Required | The AWS Region where the AWS IAM Identity Center instance is located. | us-east-1 |
| issuer\$1url | Required | The AWS IAM Identity Center server's instance endpoint. You can find this value using the AWS IAM Identity Center console. | https://identitycenter.amazonaws.com/ssoins-g5j2k70sn4yc5nsc |
| listen\$1port | Optional | The port that the Amazon Redshift driver uses to receive the `auth_code` response from AWS IAM Identity Center through the browser redirect. | 7890 |
| idc\$1client\$1display\$1name | Optional | The name that the AWS IAM Identity Center client uses for the application in the AWS IAM Identity Center's single sign-on consent popup. | Amazon Redshift driver |
| idp\$1response\$1timeout | Optional | The amount of time, in seconds, that the Redshift driver waits for the auth flow to complete. | 60 |
You must enter these values in the connection properties of the tool you create and connect with. For more information, see the connection options documentation for each respective driver:
+ [Options for JDBC driver version 2.x configuration](jdbc20-configuration-options.md)
+ [ODBC driver options](odbc20-configuration-options.md)
+ [Configuration options for the Amazon Redshift Python connector](python-configuration-options.md)
### Authenticating with `IdpTokenAuthPlugin`
Use the following plugin names to connect using `IdpTokenAuthPlugin`, depending on your Amazon Redshift driver.
| Driver | Connection option key | Value | Notes |
| --- | --- | --- | --- |
| JDBC | `plugin_name` | com.amazon.redshift.plugin.IdpTokenAuthPlugin | You must enter the fully-qualified class name of the plugin when you connect. |
| ODBC | `plugin_name` | IdpTokenAuthPlugin | |
| Python | `credentials_provider` | IdpTokenAuthPlugin | There is no `plugin_name` option available for the Python driver. Instead, use `credentials_provider`. |
The `IdpTokenAuthPlugin` plugin has the following additional connection options:
| Option name | Required? | Description |
| --- | --- | --- |
| token | Required | An AWS IAM Identity Center vended access token or an OpenID Connect (OIDC) JSON Web Token (JWT) provided by a web identity provider that's connected with AWS IAM Identity Center. Your application must generate this token by authenticating your application user with AWS IAM Identity Center or an identity provider connected with AWS IAM Identity Center. |
| token\$1type | Required | The type of token used for `IdpTokenAuthPlugin`. Possible values are the following: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-idp-connect-oauth.html) |
You must enter these values in the connection properties of the tool you create and connect with. For more information, see the connection options documentation for each respective driver:
+ [Options for JDBC driver version 2.x configuration](jdbc20-configuration-options.md)
+ [ODBC driver options](odbc20-configuration-options.md)
+ [Configuration options for the Amazon Redshift Python connector](python-configuration-options.md)
# Troubleshooting connections from Amazon Redshift query editor v2
This list details errors that commonly occur and can help you to connect to your Redshift database with query editor v2, using an AWS IAM Identity Center identity.
+ Error: **Connection Issue: No Identity center session information available.** – When this error occurs, check your browser’s security and privacy settings. These browser settings, particularly those for secure cookies, such as Firefox’s Total Cookie Protection feature, can result in blocked connection attempts from Amazon Redshift query editor v2 to a Redshift database. Follow the remediation steps detailed for your browser:
+ **Firefox** – Currently, third-party cookies are blocked by default. Click the shield in the browser's address bar and switch the toggle to turn off enhanced tracking protection for query editor v2.
+ **Chrome incognito mode** – By default, Chrome Incognito mode blocks third party cookies. Click the eye icon in the address bar to allow third-party cookies for query editor v2. After you change the setting to allow cookies, you may not see the eye icon on the address bar.
+ **Safari** – On a Mac, open the Safari app. Choose **Settings**, then choose **Advanced**. Toggle to turn off: **Block all cookies**.
+ **Edge** – Choose **Settings**, then choose **Cookies and site permissions**. Then select **Manage and delete cookies and site data** and turn off **Block third-party cookies**.
If you try to connect after changing the settings and continue to receive the error message **Connection Issue: No Identity center session information available**, we recommend that you refresh your connection with AWS IAM Identity Center. To do this, right click your Redshift database instance and choose **Refresh**. A new window appears, which you can use to authenticate.
+ Error: **Connection issue: Identity center session expired or invalid.** – Following integration of a Redshift provisioned cluster or Serverless workgroup with AWS IAM Identity Center, a user might receive this error when they attempt to connect to a Redshift database from query editor v2. This can follow successful connection attempts. In this case, we recommend that you re-authenticate. To do this, right click your Redshift database instance and choose **Refresh**. A new window appears, which you can use to authenticate.
+ Error: **Invalid scope. User credentials are not authorized to connect to Redshift.** – Following integration of a Redshift provisioned cluster or Serverless workgroup with AWS IAM Identity Center for identity management, a user might receive this error when they attempt to connect to a Redshift database from query editor v2. In this case, in order for query editor v2 to successfully connect and authenticate a user via AWS IAM Identity Center to access the correct resources, an administrator must assign the user to the Redshift AWS IAM Identity Center application through the Redshift console. This is completed under **IAM Identity Center connections**. Following this, the user can establish a successful connection after one hour, which is the limit of AWS IAM Identity Center session caching.
+ Error: **Databases couldn't be listed. FATAL: Failed query when cluster is auto paused.** – When an Amazon Redshift Serverless database is in an idle state, not processing any workloads, it can remain paused when you connect with an AWS IAM Identity Center identity. To remedy this, log in with another authentication method to resume the Serverless workgroup. Then connect to the database with your AWS IAM Identity Center identity.
+ Error: **An error occurred during the attempt to federate with AWS IAM Identity Center. An Amazon Redshift administrator must delete and recreate the AWS IAM Identity Center QEV2 application, using the Redshift console.** – This error typically occurs when the AWS IAM Identity Center applicaiton instance associated with query editor v2 is deleted. To remedy this, an Amazon Redshift administrator must delete and recreate the Redshift and query editor v2 applications for AWS IAM Identity Center. This can be performed on the Redshift console or using the [https://docs.aws.amazon.com/cli/latest/reference/redshift/delete-redshift-idc-application.html](https://docs.aws.amazon.com/cli/latest/reference/redshift/delete-redshift-idc-application.html) CLI command.
# Using service-linked roles for Amazon Redshift
Amazon Redshift uses AWS Identity and Access Management (IAM)[ service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-service-linked-role). A service-linked role is a unique type of IAM role that is linked directly to Amazon Redshift. Service-linked roles are predefined by Amazon Redshift and include all the permissions that the service requires to call AWS services on behalf of your Amazon Redshift cluster.
A service-linked role makes setting up Amazon Redshift easier because you don't have to add the necessary permissions manually. The role is linked to Amazon Redshift use cases and has predefined permissions. Only Amazon Redshift can assume the role, and only the service-linked role can use the predefined permissions policy. Amazon Redshift creates a service-linked role in your account the first time you create a cluster or a Redshift-managed VPC endpoint. You can delete the service-linked role only after you delete all of the Amazon Redshift clusters or Redshift-managed VPC endpoints in your account. This protects your Amazon Redshift resources because you can't inadvertently remove permissions needed for access to the resources.
Amazon Redshift supports using service-linked roles in all of the Regions where the service is available. For more information, see [AWS Regions and Endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html?id=docs_gateway#redshift_region).
For information about other services that support service-linked roles, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) and look for the services that have **Yes **in the **Service-Linked Role** column. Choose a **Yes** with a link to view the service-linked role documentation for that service.
## Service-linked role permissions for Amazon Redshift
Amazon Redshift uses the service-linked role named **AWSServiceRoleForRedshift** – Allows Amazon Redshift to call AWS services on your behalf. This service-linked role is attached to the following managed policy: `AmazonRedshiftServiceLinkedRolePolicy`. For updates to this policy, see [AWS-managed (predefined) policies for Amazon Redshift](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-identity-based.html#redshift-policy-resources.managed-policies).
The AWSServiceRoleForRedshift service-linked role trusts only **redshift.amazonaws.com** to assume the role.
The AWSServiceRoleForRedshift service-linked role permissions policy allows Amazon Redshift to complete the following on all related resources:
+ `ec2:DescribeVpcs `
+ `ec2:DescribeSubnets `
+ `ec2:DescribeNetworkInterfaces `
+ `ec2:DescribeAddress `
+ `ec2:AssociateAddress `
+ `ec2:DisassociateAddress `
+ `ec2:CreateNetworkInterface `
+ `ec2:DeleteNetworkInterface `
+ `ec2:ModifyNetworkInterfaceAttribute`
+ `ec2:CreateVpcEndpoint`
+ `ec2:DeleteVpcEndpoints`
+ `ec2:DescribeVpcEndpoints`
+ `ec2:ModifyVpcEndpoint`
+ `ec2:DescribeVpcAttribute`
+ `ec2:DescribeSecurityGroups`
+ `ec2:DescribeInternetGateways`
+ `ec2:DescribeSecurityGroupRules`
+ `ec2:DescribeAvailabilityZones`
+ `ec2:DescribeNetworkAcls`
+ `ec2:DescribeRouteTables`
+ `ec2:AssignIpv6Addresses`
+ `ec2:UnassignIpv6Addresses`
**Permissions for network resources**
The following permissions allow action on Amazon EC2 for creation and management of security group rules. These security groups and rules are specifically associated with the Amazon Redshift `aws:RequestTag/Redshift` resource tag. This limits the scope of the permissions to specific Amazon Redshift resources.
+ `ec2:CreateSecurityGroup`
+ `ec2:AuthorizeSecurityGroupEgress`
+ `ec2:AuthorizeSecurityGroupIngress`
+ `ec2:RevokeSecurityGroupEgress`
+ `ec2:RevokeSecurityGroupIngress`
+ `ec2:ModifySecurityGroupRules`
+ `ec2:DeleteSecurityGroup`
**Permissions for service quotas**
The following permissions allow the caller to get service quotas.
`servicequotas:GetServiceQuota`
The following JSON fragment shows action and resource scope for service quotas.
```
{
"Sid": "ServiceQuotasToCheckCustomerLimits",
"Effect": "Allow",
"Action": [
"servicequotas:GetServiceQuota"
],
"Resource": [
"arn:aws:servicequotas:*:*:ec2/L-0263D0A3",
"arn:aws:servicequotas:*:*:vpc/L-29B6F2EB"
]
}
```
The quota codes are the following:
+ *L-0263D0A3* – The quota code for EC2-VPC Elastic IPs.
+ *L-29B6F2EB* – The quota code for Interface VPC endpoints per VPC.
For more information, see [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html).
**Actions for audit logging**
Actions listed with the `logs` prefix pertain to audit logging and related features. Specifically, creation and management of log groups and log streams.
+ `logs:CreateLogGroup`
+ `logs:PutRetentionPolicy`
+ `logs:CreateLogStream`
+ `logs:PutLogEvents`
+ `logs:DescribeLogStreams`
+ `logs:GetLogEvents`
The following JSON shows actions and resource scope, to Amazon Redshift, for audit logging.
```
[
{
"Sid": "EnableCreationAndManagementOfRedshiftCloudwatchLogGroups",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:PutRetentionPolicy"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/redshift/*"
]
},
{
"Sid": "EnableCreationAndManagementOfRedshiftCloudwatchLogStreams",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:GetLogEvents"
],
"Resource": [
"arn:aws:logs:*:*:log-group:/aws/redshift/*:log-stream:*"
]
}
]
```
For more information about service-linked roles and their purpose in AWS, see [Using service-linked roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html). For more information about specific actions and other IAM resources for Amazon Redshift, see [Actions, resources, and condition keys for Amazon Redshift](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonredshift.html).
**Actions for managing admin credentials with AWS Secrets Manager**
Actions listed with the `secretsmanager` prefix pertain to using Amazon Redshift to manage your admin credentials. These actions let Amazon Redshift use AWS Secrets Manager to create and manage your admin credential secrets.
The following JSON shows actions and resource scope, to Amazon Redshift, for managing admin credentials with AWS Secrets Manager.
```
[
{
"Effect": "Allow",
"Action": [
"secretsmanager:DescribeSecret",
"secretsmanager:DeleteSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecret",
"secretsmanager:UpdateSecretVersionStage",
"secretsmanager:RotateSecret"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:redshift!*"
],
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/aws:secretsmanager:owningService": "redshift"
}
}
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword"
],
"Resource": "*"
}
]
```
**Actions for registering clusters and serverless namespaces to the AWS Glue Data Catalog**
Actions listed with the `glue` prefix pertain to accessing catalogs in the AWS Glue Data Catalog made from registering provisioned clusters or serverless namespaces. For more information, see [ Apache Iceberg compatibility for Amazon Redshift](https://docs.aws.amazon.com/redshift/latest/dg/iceberg-integration_overview.html) in the *Amazon Redshift Database Developer Guide*.
The following JSON shows actions and resource scope, to Amazon Redshift, for accessing catalogs in the AWS Glue Data Catalog:
```
[
{
"Sid": "DiscoverRedshiftCatalogs",
"Effect": "Allow",
"Action": [
"glue:GetCatalogs",
"glue:GetCatalog"
],
"Resource": [
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:catalog/*"
],
"Condition":
{
"Bool":
{
"glue:EnabledForRedshiftAutoDiscovery": "true"
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
}
}
},
{
"Sid": "LakeFormationGetMetadataAccessForFederatedCatalogs",
"Effect": "Allow",
"Action": [
"lakeformation:GetDataAccess"
],
"Resource": [ "*" ],
"Condition":
{
"Bool":
{
"lakeformation:EnabledOnlyForMetaDataAccess":"true"
},
"StringEquals": {
"aws:ResourceAccount": "${aws:PrincipalAccount}"
},
"ForAnyValue:StringEquals":
{
"aws:CalledVia": "glue.amazonaws.com"
}
}
}
}
]
```
The `glue:GetCatalog` and `glue:GetCatalogs` permissions have the condition `glue:EnabledForRedshiftAutoDiscovery:true`, which means that Amazon Redshift grants IAM access for automatically discovering catalogs. To opt-out, add an AWS Glue account-level resource policy to selectively deny service-linked role access to the catalogs. Since the service-linked role already has an explicit allow action in the policy, the opt-out policy needs to explicitly deny that action. Consider the following example, where an additional policy denies auto discovery for Amazon Redshift:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement" : {
"Effect": "Deny",
"Action": [
"glue:GetCatalog",
"glue:GetCatalogs"
],
"Principal" : {
"AWS" : "arn:aws:iam::111122223333:role/aws-service-role/redshift.amazonaws.com/AWSServiceRoleForRedshift"
},
"Resource": [
"arn:aws:glue:*:*:catalog/",
"arn:aws:glue:*:*:catalog//*"
]
}
}
```
------
**To allow an IAM entity to create AWSServiceRoleForRedshift service-linked roles**
```
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "arn:aws:iam:::role/aws-service-role/redshift.amazonaws.com/AWSServiceRoleForRedshift",
"Condition": {"StringLike": {"iam:AWSServiceName": "redshift.amazonaws.com"}}
}
```
**To allow an IAM entity to delete AWSServiceRoleForRedshift service-linked roles**
Add the following policy statement to the permissions for that IAM entity:
```
{
"Effect": "Allow",
"Action": [
"iam:DeleteServiceLinkedRole",
"iam:GetServiceLinkedRoleDeletionStatus"
],
"Resource": "arn:aws:iam:::role/aws-service-role/redshift.amazonaws.com/AWSServiceRoleForRedshift",
"Condition": {"StringLike": {"iam:AWSServiceName": "redshift.amazonaws.com"}}
}
```
Alternatively, you can use an AWS managed policy to [provide full access](https://console.aws.amazon.com/iam/home#policies/arn:aws:iam::aws:policy/AmazonRedshiftFullAccess) to Amazon Redshift.
## Creating a service-linked role for Amazon Redshift
You don't need to manually create an AWSServiceRoleForRedshift service-linked role. Amazon Redshift creates the service-linked role for you. If the AWSServiceRoleForRedshift service-linked role has been deleted from your account, Amazon Redshift creates the role when you launch a new Amazon Redshift cluster.
**Important**
If you used the Amazon Redshift service before September 18, 2017, when it began supporting service-linked roles, then Amazon Redshift created the AWSServiceRoleForRedshift role in your account. To learn more, see [A new role appeared in my IAM account](https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_roles.html#troubleshoot_roles_new-role-appeared).
## Editing a service-linked role for Amazon Redshift
Amazon Redshift does not allow you to edit the AWSServiceRoleForRedshift service-linked role. After you create a service-linked role, you can't change the name of the role because various entities might reference the role. However, you can edit the description of the role using the IAM console, the AWS Command Line Interface (AWS CLI), or IAM API. For more information, see [Modifying a role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_manage_modify.html) in the *IAM User Guide*.
## Deleting a service-linked role for Amazon Redshift
If you no longer need to use a feature or service that requires a service-linked role, we recommend that you delete that role. That way you don't have an unused entity that is not actively monitored or maintained.
Before you can delete a service-linked role for an account, you must shut down and delete any clusters in the account. For more information, see [Shutting down and deleting a cluster](rs-mgmt-shutdown-delete-cluster.md).
You can use the IAM console, the AWS CLI, or the IAM API to delete a service-linked role. For more information, see [Deleting a service-linked role](https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html#delete-service-linked-role) in the *IAM User Guide*.
# Using IAM authentication to generate database user credentials
You can generate temporary database credentials based on permissions granted through an AWS Identity and Access Management (IAM) permissions policy to manage the access that your users have to your Amazon Redshift database.
Commonly, Amazon Redshift database users log in to the database by providing a database user name and password. However, you don't have to maintain user names and passwords in your Amazon Redshift database. As an alternative, you can configure your system to permit users to create user credentials and log in to the database based on their IAM credentials.
Amazon Redshift provides the [GetClusterCredentials](https://docs.aws.amazon.com/redshift/latest/APIReference/API_GetClusterCredentials.html) API operation to generate temporary database user credentials. You can configure your SQL client with Amazon Redshift JDBC or ODBC drivers that manage the process of calling the `GetClusterCredentials` operation. They do so by retrieving the database user credentials, and establishing a connection between your SQL client and your Amazon Redshift database. You can also use your database application to programmatically call the `GetClusterCredentials` operation, retrieve database user credentials, and connect to the database.
If you already manage user identities outside AWS, you can use an identity provider (IdP) compliant with Security Assertion Markup Language (SAML) 2.0 to manage access to Amazon Redshift resources. You configure your IdP to permit your federated users access to an IAM role. With that IAM role, you can generate temporary database credentials and log in to Amazon Redshift databases.
Your SQL client needs permission to call the `GetClusterCredentials` operation for you. You manage those permissions by creating an IAM role and attaching an IAM permissions policy that grants or restricts access to the `GetClusterCredentials` operation and related actions. As a best practice, we recommend attaching permissions policies to an IAM role and then assigning it to users and groups as needed. For more information, see [Identity and access management in Amazon Redshift](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-authentication-access-control.html).
The policy also grants or restricts access to specific resources, such as Amazon Redshift clusters, databases, database user names, and user group names.
**Note**
We recommend using the Amazon Redshift JDBC or ODBC drivers to manage the process of calling the `GetClusterCredentials` operation and logging on to the database. For simplicity, we assume that you are using a SQL client with the JDBC or ODBC drivers throughout this topic.
For specific details and examples of using the `GetClusterCredentials` operation or the parallel `get-cluster-credentials` CLI command, see [GetClusterCredentials](https://docs.aws.amazon.com/redshift/latest/APIReference/API_GetClusterCredentials.html) and [get-cluster-credentials](https://docs.aws.amazon.com/cli/latest/reference/redshift/get-cluster-credentials.html).
To manage authentication and authorization centrally, Amazon Redshift supports database authentication with IAM, enabling user authentication through enterprise federation. Instead of creating a user, you can use existing identities from AWS Directory Service, your enterprise user directory, or a web identity provider. These are known as federated users. AWS assigns a role to a federated user when access is requested through an IdP.
To provide federated access to a user or client application in your organization to call Amazon Redshift API operations, you can also use the JDBC or ODBC driver with SAML 2.0 support to request authentication from your organization IdP. In this case, your organization's users don't have direct access to Amazon Redshift.
For more information, see [Identity Providers and Federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) in the *IAM User Guide*.
# Creating temporary IAM credentials
In this section, you can find how to configure your system to generate temporary IAM-based database user credentials and log in to your database using the new credentials.
At a high level, the process flows as follows:
1. [Step 1: Create an IAM role for IAM single sign-on access](#generating-iam-credentials-sso-role)
(Optional) You can authenticate users for access to an Amazon Redshift database by integrating IAM authentication and a third-party identity provider (IdP).
1. [Step 2: Configure SAML assertions for your IdP](#configuring-saml-assertions)
(Optional) To use IAM authentication using an IdP, you need to define a claim rule in your IdP application that maps users or groups in your organization to the IAM role. Optionally, you can include attribute elements to set `GetClusterCredentials` parameters.
1. [Step 3: Create an IAM role with permissions to call GetClusterCredentialsWithIAM or GetClusterCredentials](#generating-iam-credentials-role-permissions)
Your SQL client application assumes the user when it calls the `GetClusterCredentials` operation. If you created an IAM role for identity provider access, you can add the necessary permission to that role.
1. [Step 4: Create a database user and database groups](#generating-iam-credentials-user-and-groups)
(Optional) By default, `GetClusterCredentials` returns credentials create a new user if the user name doesn't exist. You can also choose to specify user groups that users join at logon. By default, database users join the PUBLIC group.
1. [Step 5: Configure a JDBC or ODBC connection to use IAM credentials](#generating-iam-credentials-configure-jdbc-odbc)
To connect to your Amazon Redshift database, you configure your SQL client to use an Amazon Redshift JDBC or ODBC driver.
## Step 1: Create an IAM role for IAM single sign-on access
If you don't use an identity provider for single sign-on access, you can skip this step.
If you already manage user identities outside of AWS, you can authenticate users for access to an Amazon Redshift database by integrating IAM authentication and a third-party SAML-2.0 identity provider (IdP).
For more information, see [Identity Providers and Federation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers.html) in the *IAM User Guide*.
Before you can use Amazon Redshift IdP authentication, create an AWS SAML identity provider. You create an IdP in the IAM console to inform AWS about the IdP and its configuration. Doing this establishes trust between your AWS account and the IdP. For steps to create a role, see [Creating a Role for SAML 2.0 Federation (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html?icmpid=docs_iam_console) in the *IAM User Guide*.
## Step 2: Configure SAML assertions for your IdP
After you create the IAM role, you define a claim rule in your IdP application to map users or groups in your organization to the IAM role. For more information, see [Configuring SAML Assertions for the Authentication Response](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_assertions.html) in the *IAM User Guide*.
If you choose to use the optional `GetClusterCredentials` parameters `DbUser`, `AutoCreate`, and `DbGroups`, you have two options. You can set the values for the parameters with your JDBC or ODBC connection, or you can set the values by adding SAML attribute elements to your IdP. For more information about the `DbUser`, `AutoCreate`, and `DbGroups` parameters, see [Step 5: Configure a JDBC or ODBC connection to use IAM credentials](#generating-iam-credentials-configure-jdbc-odbc).
**Note**
If you use an IAM policy variable `${redshift:DbUser}`, as described in [Resource policies for GetClusterCredentials](redshift-iam-access-control-identity-based.md#redshift-policy-resources.getclustercredentials-resources) the value for `DbUser` is replaced with the value retrieved by the API operation's request context. The Amazon Redshift drivers use the value for the `DbUser` variable provided by the connection URL, rather than the value supplied as a SAML attribute.
To help secure this configuration, we recommend that you use a condition in an IAM policy to validate the `DbUser` value by using `RoleSessionName`. You can find examples of how to set a condition using an IAM policy in [Example 8: IAM policy for using GetClusterCredentials](redshift-iam-access-control-identity-based.md#redshift-policy-examples-getclustercredentials).
To configure your IdP to set the `DbUser`, `AutoCreate`, and `DbGroups` parameters, include the following `Attribute` elements:
+ An `Attribute` element with the `Name` attribute set to "https://redshift.amazon.com/SAML/Attributes/DbUser"
Set the `AttributeValue` element to the name of a user that will connect to the Amazon Redshift database.
The value in the `AttributeValue` element must be lowercase, begin with a letter, contain only alphanumeric characters, underscore ('\$1'), plus sign ('\$1'), dot ('.'), at ('@'), or hyphen ('-'), and be fewer than 128 characters. Typically, the user name is a user ID (for example, bobsmith) or an email address (for example bobsmith@example.com). The value can't include a space (for example, a user's display name such as Bob Smith).
```
user-name
```
+ An Attribute element with the Name attribute set to "https://redshift.amazon.com/SAML/Attributes/AutoCreate"
Set the AttributeValue element to true to create a new database user if one doesn't exist. Set the AttributeValue to false to specify that the database user must exist in the Amazon Redshift database.
```
true
```
+ An `Attribute` element with the `Name` attribute set to set to "https://redshift.amazon.com/SAML/Attributes/DbGroups"
This element contains one or more `AttributeValue` elements. Set each `AttributeValue` element to a database group name that the `DbUser` joins for the duration of the session when connecting to the Amazon Redshift database.
```
group1
group2
group3
```
## Step 3: Create an IAM role with permissions to call GetClusterCredentialsWithIAM or GetClusterCredentials
Your SQL client needs authorization to call the the ` GetClusterCredentialsWithIAM` or `GetClusterCredentials` operation on your behalf. To provide that authorization, you create a user or role and attach a policy that grants the necessary permissions. Both operations are available for obtaining the cluster credentials, but they differ in their authentication method. ` GetClusterCredentialsWithIAM` uses an IAM role, automatically creating a database user that maps to the role, which is beneficial for managing permissions at the IAM role level, while `GetClusterCredentials` gives credentials for a given username in the database.
**To create an IAM role with permissions to call GetClusterCredentialsWithIAM**
1. Using the IAM service, create a user or role. You can also use an existing user or role. For example, if you created an IAM role for identity provider access, you can attach the necessary IAM policies to that role.
1. Attach a permission policy with permission to call the ` redshift:GetClusterCredentialsWithIAM` operation. The following policy sample shows options to allow the operation for specific cluster and database, any database in cluster, and any database in any cluster.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SpecificClusterAndDBName",
"Effect": "Allow",
"Action": "redshift:GetClusterCredentialsWithIAM",
"Resource": [
"arn:aws:redshift:us-east-1:123456789012:dbname:testcluster/testdatabase"
]
},
{
"Sid": "SpecificClusterAndAnyDBName",
"Effect": "Allow",
"Action": "redshift:GetClusterCredentialsWithIAM",
"Resource": "arn:aws:redshift:us-east-1:123456789012:dbname:examplecluster/*",
},
{
"Sid": "AnyClusterAnyDatabase",
"Effect": "Allow",
"Action": "redshift:GetClusterCredentialsWithIAM",
"Resource": "*"
}
]
}
```
**To create an IAM role with permissions to call GetClusterCredentials**
1. Using the IAM service, create a user or role. You can also use an existing user or role. For example, if you created an IAM role for identity provider access, you can attach the necessary IAM policies to that role.
1. Attach a permission policy with permission to call the `redshift:GetClusterCredentials` operation. Depending on which optional parameters you specify, you can also allow or restrict additional actions and resources in your policy:
+ To permit your SQL client to retrieve cluster ID, AWS Region, and port, include permission to call the `redshift:DescribeClusters` operation with the Redshift cluster resource.
+ If you use the `AutoCreate` option, include permission to call `redshift:CreateClusterUser` with the `dbuser` resource. The following Amazon Resource Name (ARN) specifies the Amazon Redshift `dbuser`. Replace *`region`*, *`account-id`*, and *`cluster-name`* with the values for your AWS Region, account, and cluster. For *`dbuser-name`*, specify the user name to use to log in to the cluster database.
```
arn:aws:redshift:region:account-id:dbuser:cluster-name/dbuser-name
```
+ (Optional) Add an ARN that specifies the Amazon Redshift `dbname` resource in the following format. Replace *`region`*, *`account-id`*, and *`cluster-name`* with the values for your AWS Region, account, and cluster. For `database-name`, specify the name of a database that the user will log in to.
```
arn:aws:redshift:region:account-id:dbname:cluster-name/database-name
```
+ If you use the `DbGroups` option, include permission to call the `redshift:JoinGroup` operation with the Amazon Redshift `dbgroup` resource in the following format. Replace *`region`*, *`account-id`*, and *`cluster-name`* with the values for your AWS Region, account, and cluster. For `dbgroup-name`, specify the name of a user group that the user joins at login.
```
arn:aws:redshift:region:account-id:dbgroup:cluster-name/dbgroup-name
```
For more information and examples, see [Resource policies for GetClusterCredentials](redshift-iam-access-control-identity-based.md#redshift-policy-resources.getclustercredentials-resources).
## Step 4: Create a database user and database groups
Optionally, you can create a database user that you use to log in to the cluster database. If you create temporary user credentials for an existing user, you can disable the user's password to force the user to log on with the temporary password. Alternatively, you can use the `GetClusterCredentials` Autocreate option to automatically create a new database user.
You can create database user groups with the permissions you want the IAM database user to join at login. When you call the `GetClusterCredentials` operation, you can specify a list of user group names that the new user joins at login. These group memberships are valid only for sessions created using credentials generated with the given request.
**To create a database user and database groups**
1. Log in to your Amazon Redshift database and create a database user using [CREATE USER](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_USER.html) or alter an existing user using [ALTER USER](https://docs.aws.amazon.com/redshift/latest/dg/r_ALTER_USER.html).
1. Optionally, specify the PASSWORD DISABLE option to prevent the user from using a password. When a user's password is disabled, the user can log on only using temporary credentials. If the password is not disabled, the user can log on either with the password or using temporary credentials. You can't disable the password for a superuser.
Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS.
To grant users programmatic access, choose one of the following options.
****
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/generating-iam-credentials-steps.html)
The following example creates a user with password disabled.
```
create user temp_creds_user password disable;
```
The following example disables the password for an existing user.
```
alter user temp_creds_user password disable;
```
1. Create database user groups using [CREATE GROUP](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_GROUP.html).
1. Use the [GRANT](https://docs.aws.amazon.com/redshift/latest/dg/r_GRANT.html) command to define access privileges for the groups.
## Step 5: Configure a JDBC or ODBC connection to use IAM credentials
You can configure your SQL client with an Amazon Redshift JDBC or ODBC driver. This driver manages the process of creating database user credentials and establishing a connection between your SQL client and your Amazon Redshift database.
If you use an identity provider for authentication, specify the name of a credential provider plugin. The Amazon Redshift JDBC and ODBC drivers include plugins for the following SAML-based identity providers:
+ Active Directory Federation Services (AD FS)
+ PingOne
+ Okta
+ Microsoft Azure AD
For the steps to set up Microsoft Azure AD as an identity provider, see [Setting up JDBC or ODBC single sign-on authentication](setup-azure-ad-identity-provider.md).
**To configure a JDBC connection to use IAM credentials**
1. Download the latest Amazon Redshift JDBC driver from the [Configuring a connection for JDBC driver version 2.x for Amazon Redshift](jdbc20-install.md) page.
1. Create a JDBC URL with the IAM credentials options in one of the following formats. To use IAM authentication, add `iam:` to the Amazon Redshift JDBC URL following `jdbc:redshift:` as shown in the following example.
```
jdbc:redshift:iam://
```
Add `cluster-name`, `region`, and `account-id`. The JDBC driver uses your IAM account information and cluster name to retrieve the cluster ID and AWS Region. To do so, your user or role must have permission to call the `redshift:DescribeClusters` operation with the specified cluster. If your user or role doesn't have permission to call the `redshift:DescribeClusters` operation, include the cluster ID, AWS Region, and port as shown in the following example. The port number is optional.
```
jdbc:redshift:iam://examplecluster.abc123xyz789.us-west-2.redshift.amazonaws.com:5439/dev
```
1. Add JDBC options to provide IAM credentials. You use different combinations of JDBC options to provide IAM credentials. For details, see [JDBC and ODBC options for creating database user credentials](options-for-providing-iam-credentials.md#jdbc-and-odbc-options-for-database-credentials).
The following URL specifies AccessKeyID and SecretAccessKey for a user.
```
jdbc:redshift:iam://examplecluster:us-west-2/dev?AccessKeyID=AKIAIOSFODNN7EXAMPLE&SecretAccessKey=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
```
The following example specifies a named profile that contains the IAM credentials.
```
jdbc:redshift:iam://examplecluster:us-west-2/dev?Profile=user2
```
1. Add JDBC options that the JDBC driver uses to call the `GetClusterCredentials` API operation. Don't include these options if you call the `GetClusterCredentials` API operation programmatically.
The following example includes the JDBC `GetClusterCredentials` options.
```
jdbc:redshift:iam://examplecluster:us-west-2/dev?plugin_name=com.amazon.redshift.plugin.AzureCredentialsProvider&UID=user&PWD=password&idp_tenant=my_tenant&client_secret=my_secret&client_id=my_id
```
**To configure an ODBC connection to use IAM credentials**
In the following procedure, you can find steps only to configure IAM authentication. For steps to use standard authentication, using a database user name and password, see [Configuring a connection for ODBC driver version 2.x for Amazon Redshift](odbc20-install.md).
1. Install and configure the latest Amazon Redshift OBDC driver for your operating system. For more information, see [Configuring a connection for ODBC driver version 2.x for Amazon Redshift](odbc20-install.md) page.
**Important**
The Amazon Redshift ODBC driver must be version 1.3.6.1000 or later.
1. Follow the steps for your operating system to configure connection settings.
1. On Microsoft Windows operating systems, access the Amazon Redshift ODBC Driver DSN Setup window.
1. Under **Connection Settings**, enter the following information:
+ **Data Source Name**
+ **Server** (optional)
+ **Port** (optional)
+ **Database**
If your user or role has permission to call the `redshift:DescribeClusters` operation, only **Data Source Name** and **Database** are required. Amazon Redshift uses **ClusterId** and **Region** to get the server and port by calling the `DescribeCluster` operation.
If your user or role doesn't have permission to call the `redshift:DescribeClusters` operation, specify **Server** and **Port**.
1. Under **Authentication**, choose a value for **Auth Type**.
For each authentication type, enter values as listed following:
AWS Profile
Enter the following information:
+ **ClusterID**
+ **Region**
+ **Profile name**
Enter the name of a profile in an AWS config file that contains values for the ODBC connection options. For more information, see [Using a configuration profile](options-for-providing-iam-credentials.md#using-configuration-profile).
(Optional) Provide details for options that the ODBC driver uses to call the `GetClusterCredentials` API operation:
+ **DbUser**
+ **User AutoCreate**
+ **DbGroups**
For more information, see [JDBC and ODBC options for creating database user credentials](options-for-providing-iam-credentials.md#jdbc-and-odbc-options-for-database-credentials).
IAM Credentials
Enter the following information:
+ **ClusterID**
+ **Region**
+ **AccessKeyID** and **SecretAccessKey**
The access key ID and secret access key for the IAM role or user configured for IAM database authentication.
+ **SessionToken**
**SessionToken** is required for an IAM role with temporary credentials. For more information, see [Temporary Security Credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html).
Provide details for options that the ODBC driver uses to call the `GetClusterCredentials` API operation:
+ **DbUser** (required)
+ **User AutoCreate** (optional)
+ **DbGroups** (optional)
For more information, see [JDBC and ODBC options for creating database user credentials](options-for-providing-iam-credentials.md#jdbc-and-odbc-options-for-database-credentials).
Identity Provider: AD FS
For Windows Integrated Authentication with AD FS, leave **User** and **Password** empty.
Provide IdP details:
+ **IdP Host**
The name of the corporate identity provider host. This name should not include any slashes ( / ).
+ **IdP Port** (optional)
The port used by identity provider. The default is 443.
+ **Preferred Role**
An Amazon Resource Name (ARN) for the IAM role from the multi-valued `AttributeValue` elements for the `Role` attribute in the SAML assertion. To find the appropriate value for the preferred role, work with your IdP administrator. For more information, see [Step 2: Configure SAML assertions for your IdP](#configuring-saml-assertions).
(Optional) Provide details for options that the ODBC driver uses to call the `GetClusterCredentials` API operation:
+ **DbUser**
+ **User AutoCreate**
+ **DbGroups**
For more information, see [JDBC and ODBC options for creating database user credentials](options-for-providing-iam-credentials.md#jdbc-and-odbc-options-for-database-credentials).
Identity Provider: PingFederate
For **User** and **Password**, enter your IdP user name and password.
Provide IdP details:
+ **IdP Host**
The name of the corporate identity provider host. This name should not include any slashes ( / ).
+ **IdP Port** (optional)
The port used by identity provider. The default is 443.
+ **Preferred Role**
An Amazon Resource Name (ARN) for the IAM role from the multi-valued `AttributeValue` elements for the `Role` attribute in the SAML assertion. To find the appropriate value for the preferred role, work with your IdP administrator. For more information, see [Step 2: Configure SAML assertions for your IdP](#configuring-saml-assertions).
(Optional) Provide details for options that the ODBC driver uses to call the `GetClusterCredentials` API operation:
+ **DbUser**
+ **User AutoCreate**
+ **DbGroups**
For more information, see [JDBC and ODBC options for creating database user credentials](options-for-providing-iam-credentials.md#jdbc-and-odbc-options-for-database-credentials).
Identity Provider: Okta
For **User** and **Password**, enter your IdP user name and password.
Provide IdP details:
+ **IdP Host**
The name of the corporate identity provider host. This name should not include any slashes ( / ).
+ **IdP Port **
This value is not used by Okta.
+ **Preferred Role**
An Amazon Resource Name (ARN) for the IAM role from the `AttributeValue` elements for the `Role` attribute in the SAML assertion. To find the appropriate value for the preferred role, work with your IdP administrator. For more information, see [Step 2: Configure SAML assertions for your IdP](#configuring-saml-assertions).
+ **Okta App ID**
An ID for an Okta application. The value for App ID follows "amazon\$1aws" in the Okta application embed link. Work with your IdP administrator to get this value.
(Optional) Provide details for options that the ODBC driver uses to call the `GetClusterCredentials` API operation:
+ **DbUser**
+ **User AutoCreate**
+ **DbGroups**
For more information, see [JDBC and ODBC options for creating database user credentials](options-for-providing-iam-credentials.md#jdbc-and-odbc-options-for-database-credentials).
Identity Provider: Azure AD
For **User** and **Password**, enter your IdP user name and password.
For **Cluster ID** and ** Region**, enter the cluster ID and AWS Region of your Amazon Redshift cluster.
For **Database**, enter the database that you created for your Amazon Redshift cluster.
Provide IdP details:
+ **IdP Tenant**
The tenant used for Azure AD.
+ **Azure Client Secret**
The client secret of the Amazon Redshift enterprise app in Azure.
+ **Azure Client ID**
The client ID (application ID) of the Amazon Redshift enterprise app in Azure.
(Optional) Provide details for options that the ODBC driver uses to call the `GetClusterCredentials` API operation:
+ **DbUser**
+ **User AutoCreate**
+ **DbGroups**
For more information, see [JDBC and ODBC options for creating database user credentials](options-for-providing-iam-credentials.md#jdbc-and-odbc-options-for-database-credentials).
# Options for providing IAM credentials
To provide IAM credentials for a JDBC or ODBC connection, choose one of the following options.
+ **AWS profile**
As an alternative to providing credentials values in the form of JDBC or ODBC settings, you can put the values in a named profile. For more information, see [Using a configuration profile](#using-configuration-profile).
+ **IAM credentials**
Provide values for AccessKeyID, SecretAccessKey, and, optionally, SessionToken in the form of JDBC or ODBC settings. SessionToken is required only for an IAM role with temporary credentials. For more information, see [JDBC and ODBC options for providing IAM credentials](#jdbc-options-for-providing-iam-credentials).
+ **Identity provider federation**
When you use identity provider federation to enable users from an identity provider to authenticate to Amazon Redshift, specify the name of a credential provider plugin. For more information, see [Credentials provider plugins](#using-credentials-provider-plugin).
The Amazon Redshift JDBC and ODBC drivers include plugins for the following SAML-based identity federation credential providers:
+ Microsoft Active Identity Federation Services (AD FS)
+ PingOne
+ Okta
+ Microsoft Azure Active Directory (Azure AD)
You can provide the plugin name and related values in the form of JDBC or ODBC settings or by using a profile. For more information, see [Options for JDBC driver version 2.x configuration](jdbc20-configuration-options.md).
For more information, see [Step 5: Configure a JDBC or ODBC connection to use IAM credentials](generating-iam-credentials-steps.md#generating-iam-credentials-configure-jdbc-odbc).
## Using a configuration profile
You can supply the IAM credentials options and `GetClusterCredentials` options as settings in named profiles in your AWS configuration file. To provide the profile name, use the Profile JDBC option. The configuration is stored in a file named `config` or a file named `credentials` in a folder named `.aws` in your home directory.
For a SAML-based credential provider plugin included with an Amazon Redshift JDBC or ODBC driver, you can use the settings described just preceding in [Credentials provider plugins](#using-credentials-provider-plugin). If `plugin_name` isn't used, the other options are ignored.
The following example shows the \$1/.aws/credentials file with two profiles.
```
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
[user2]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
session_token=AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQWLWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd
QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU
9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz
+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==
```
To use the credentials for the `user2` example, specify `Profile=user2` in the JDBC URL.
For more information on using profiles, see [Configuration and credential file settings](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) in the* AWS Command Line Interface User Guide.*
For more information on using profiles for the JDBC driver, see [Specifying profiles](jdbc20-configure-authentication-ssl.md#jdbc20-aws-credentials-profiles).
For more information on using profiles for the ODBC driver, see [Authentication methods](odbc20-authentication-ssl.md).
## JDBC and ODBC options for providing IAM credentials
The following table lists the JDBC and ODBC options for providing IAM credentials.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/options-for-providing-iam-credentials.html)
## JDBC and ODBC options for creating database user credentials
To use the Amazon Redshift JDBC or ODBC driver to create database user credentials, provide the database user name as a JDBC or ODBC option. Optionally, you can have the driver create a new database user if one doesn't exist, and you can specify a list of database user groups the user joins at login.
If you use an identity provider (IdP), work with your IdP administrator to determine the correct values for these options. Your IdP administrator can also configure your IdP to provide these options, in which case you don't need to provide them as JDBC or ODBC options. For more information, see [Step 2: Configure SAML assertions for your IdP](generating-iam-credentials-steps.md#configuring-saml-assertions).
**Note**
If you use an IAM policy variable `${redshift:DbUser}`, as described in [Resource policies for GetClusterCredentials](redshift-iam-access-control-identity-based.md#redshift-policy-resources.getclustercredentials-resources) the value for `DbUser` is replaced with the value retrieved by the API operation's request context. The Amazon Redshift drivers use the value for the `DbUser` variable provided by the connection URL, rather than the value supplied as a SAML attribute.
To help secure this configuration, we recommend that you use a condition in an IAM policy to validate the `DbUser` value with the `RoleSessionName`. You can find examples of how to set a condition using an IAM policy in [Example 8: IAM policy for using GetClusterCredentials](redshift-iam-access-control-identity-based.md#redshift-policy-examples-getclustercredentials).
The following table lists the options for creating database user credentials.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/options-for-providing-iam-credentials.html)
## Credentials provider plugins
Amazon Redshift uses credentials provider plugins for single sign-on authentication.
To support single sign-on authentication, Amazon Redshift provides the Azure AD plugin for Microsoft Azure Active Directory. For information on how to configure this plugin, see [Setting up JDBC or ODBC single sign-on authentication](setup-azure-ad-identity-provider.md).
### Multi-factor authentication
To support multi-factor authentication (MFA), Amazon Redshift provides browser-based plugins. Use the browser SAML plugin for Okta, PingOne, and the browser Azure AD plugin for Microsoft Azure Active Directory.
With the browser SAML plugin, OAuth authentication flows like this:
![\[OAuth workflows for how the plugin, local server, web browser, and endpoint work together to authenticate a user with SAML authentication.\]](http://docs.aws.amazon.com/redshift/latest/mgmt/images/BrowserSAML_plugin.png)
1. A user tries to log in.
1. The plugin launches a local server to listen to incoming connections on the localhost.
1. The plugin launches a web browser to request a SAML response over HTTPS from the specified single sign-on login URL federated identity provider endpoint.
1. The web browser follows the link and prompts the user to enter credentials.
1. After the user authenticates and grants consent, the federated identity provider endpoint returns a SAML response over HTTPS to the URI indicated by `redirect_uri`.
1. The web browser moves the response message with the SAML response to the indicated `redirect_uri`.
1. The local server accepts the incoming connection and the plugin retrieves the SAML response and passes it to Amazon Redshift.
With the browser Azure AD plugin, SAML authentication flows like this:
![\[Azure workflows for how the plugin, local server, web browser, and endpoint work together to authenticate a user with SAML authentication.\]](http://docs.aws.amazon.com/redshift/latest/mgmt/images/BrowserAzure_plugin.png)
1. A user tries to log in.
1. The plugin launches a local server to listen to incoming connections on the localhost.
1. The plugin launches a web browser to request an authorization code from the Azure AD `oauth2/authorize` endpoint.
1. The web browser follows the generated link over HTTPS and prompts the user to enter credentials. The link is generated using configuration properties, such as tenant and client\$1id.
1. After the user authenticates and grants consent, the Azure AD `oauth2/authorize` endpoint returns and sends a response over HTTPS with the authorization code to the indicated `redirect_uri`.
1. The web browser moves the response message with the SAML response to the indicated `redirect_uri`.
1. The local server accepts the incoming connection and the plugin requests and retrieves the authorization code and sends a POST request to the Azure AD `oauth2/token` endpoint.
1. The Azure AD `oauth2/token` endpoint returns a response with an access token to the indicated `redirect_uri`.
1. The plugin retrieves the SAML response and passes it to Amazon Redshift.
See the following sections:
+ Active Directory Federation Services (AD FS)
For more information, see [Setting up JDBC or ODBC single sign-on authentication](setup-azure-ad-identity-provider.md).
+ PingOne (Ping)
Ping is supported only with the predetermined PingOne IdP Adapter using Forms authentication.
For more information, see [Setting up JDBC or ODBC single sign-on authentication](setup-azure-ad-identity-provider.md).
+ Okta
Okta is supported only for the Okta-supplied application used with the AWS Management Console.
For more information, see [Setting up JDBC or ODBC single sign-on authentication](setup-azure-ad-identity-provider.md).
+ Microsoft Azure Active Directory
For more information, see [Setting up JDBC or ODBC single sign-on authentication](setup-azure-ad-identity-provider.md).
### Plugin options
To use a SAML-based credentials provider plugin, specify the following options using JDBC or ODBC options or in a named profile. If `plugin_name` isn't specified, the other options are ignored.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/options-for-providing-iam-credentials.html)
# Generating database credentials for an IAM identity using the Amazon Redshift CLI or API
To programmatically generate temporary database user credentials, Amazon Redshift provides the [get-cluster-credentials](https://docs.aws.amazon.com/cli/latest/reference/redshift/get-cluster-credentials.html) command for the AWS Command Line Interface (AWS CLI) and the [GetClusterCredentials](https://docs.aws.amazon.com/redshift/latest/APIReference/API_GetClusterCredentials.html) API operation. Or you can configure your SQL client with Amazon Redshift JDBC or ODBC drivers that manage the process of calling the `GetClusterCredentials` operation, retrieving the database user credentials, and establishing a connection between your SQL client and your Amazon Redshift database. For more information, see [JDBC and ODBC options for creating database user credentials](options-for-providing-iam-credentials.md#jdbc-and-odbc-options-for-database-credentials).
**Note**
We recommend using the Amazon Redshift JDBC or ODBC drivers to generate database user credentials.
In this section, you can find steps to programmatically call the `GetClusterCredentials` operation or get-cluster-credentials command, retrieve database user credentials, and connect to the database.
**To generate and use temporary database credentials**
1. Create or modify a user or role with the required permissions. For more information about IAM permissions, see [Step 3: Create an IAM role with permissions to call GetClusterCredentialsWithIAM or GetClusterCredentials](generating-iam-credentials-steps.md#generating-iam-credentials-role-permissions).
1. As a user or role you authorized in the previous step, run the get-cluster-credentials CLI command or call the `GetClusterCredentials` API operation and provide the following values:
+ **Cluster identifier** – The name of the cluster that contains the database.
+ **Database user name** – The name of an existing or new database user.
+ If the user doesn't exist in the database and AutoCreate is true, a new user is created with PASSWORD disabled.
+ If the user doesn't exist, and AutoCreate is false, the request fails.
+ For this example, the database user name is `temp_creds_user`.
+ **Autocreate ** – (Optional) Create a new user if the database user name doesn't exist.
+ **Database name ** – (Optional) The name of the database that the user is authorized to log on to. If database name isn't specified, the user can log on to any cluster database.
+ **Database groups ** – (Optional) A list of existing database user groups. Upon successful login, the database user is added to the specified user groups. If no group is specified, the user has only PUBLIC permissions. The user group names must match the dbgroup resources ARNs specified in the IAM policy attached to the user or role.
+ **Expiration time** – (Optional) The time, in seconds, until the temporary credentials expire. You can specify a value between 900 seconds (15 minutes) and 3600 seconds (60 minutes). The default is 900 seconds.
1. Amazon Redshift verifies that the user has permission to call the `GetClusterCredentials` operation with the specified resources.
1. Amazon Redshift returns a temporary password and the database user name.
The following example uses the Amazon Redshift CLI to generate temporary database credentials for an existing user named `temp_creds_user`.
```
aws redshift get-cluster-credentials --cluster-identifier examplecluster --db-user temp_creds_user --db-name exampledb --duration-seconds 3600
```
The result is as follows.
```
{
"DbUser": "IAM:temp_creds_user",
"Expiration": "2016-12-08T21:12:53Z",
"DbPassword": "EXAMPLEjArE3hcnQj8zt4XQj9Xtma8oxYEM8OyxpDHwXVPyJYBDm/gqX2Eeaq6P3DgTzgPg=="
}
```
The following example uses the Amazon Redshift CLI with autocreate to generate temporary database credentials for a new user and add the user to the group `example_group`.
```
aws redshift get-cluster-credentials --cluster-identifier examplecluster --db-user temp_creds_user --auto-create --db-name exampledb --db-groups example_group --duration-seconds 3600
```
The result is as follows.
```
{
"DbUser": "IAMA:temp_creds_user:example_group",
"Expiration": "2016-12-08T21:12:53Z",
"DbPassword": "EXAMPLEjArE3hcnQj8zt4XQj9Xtma8oxYEM8OyxpDHwXVPyJYBDm/gqX2Eeaq6P3DgTzgPg=="
}
```
1. Establish a Secure Socket Layer (SSL) authentication connection with the Amazon Redshift cluster and send a login request with the user name and password from the `GetClusterCredentials` response. Include the `IAM:` or `IAMA:` prefix with the user name, for example `IAM:temp_creds_user` or `IAMA:temp_creds_user`.
**Important**
Configure your SQL client to require SSL. Otherwise, if your SQL client automatically tries to connect with SSL, it can fall back to non-SSL if there is any kind of failure. In that case, the first connection attempt might fail because the credentials are expired or invalid, then a second connection attempt fails because the connection is not SSL. If that occurs, the first error message might be missed. For more information about connecting to your cluster using SSL, see [Configuring security options for connections](connecting-ssl-support.md).
1. If the connection doesn't use SSL, the connection attempt fails.
1. The cluster sends an `authentication` request to the SQL client.
1. The SQL client then sends the temporary password to the cluster.
1. If the password is valid and has not expired, the cluster completes the connection.
# Setting up JDBC or ODBC single sign-on authentication
You can leverage external identity providers (IdPs) to authenticate and authorize users accessing your Amazon Redshift cluster, simplifying user management and enhancing security. This enables centralized user management, role-based access control, and auditing capabilities across multiple services. Common use cases include streamlining authentication for diverse user groups, enforcing consistent access policies, and meeting regulatory requirements.
The following pages guide you through configuring IdP integration with your Redshift cluster. For more information about configuring AWS as a service provider for the IdP, see [Configuring Your SAML 2.0 IdP with Relying Party Trust and Adding Claims](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html#saml_relying-party) in the *IAM User Guide*.
# AD FS
This tutorial shows you how you can use AD FS as an identity provider (IdP) to access your Amazon Redshift cluster.
## Step 1: Set up AD FS and your AWS account to trust each other
The following procedure describes how to set up a trust relationship.
1. Create or use an existing Amazon Redshift cluster for your AD FS users to connect to. To configure the connection, certain properties of this cluster are needed, such as the cluster identifier. For more information, see [Creating a Cluster](https://docs.aws.amazon.com/redshift/latest/mgmt/create-cluster.html).
1. Set up AD FS to control Amazon Redshift access on the Microsoft Management Console:
1. Choose **ADFS 2.0**, and then choose **Add Relying Party Trust**. On the **Add Relying Party Trust Wizard** page, choose **Start**.
1. On the **Select Data Source** page, choose **Import data about the relying party published online or on a local network**.
1. For **Federation metadata address (host name or URL)**, enter **https://signin.aws.amazon.com/saml-metadata.xml**. The metadata XML file is a standard SAML metadata document that describes AWS as a relying party.
1. On the **Specify Display Name** page, enter a value for **Display name**.
1. On the **Choose Issuance Authorization Rules** page, choose an issuance authorization rule to either permit or deny all users to access this relying party.
1. On the **Ready to Add Trust** page, review your settings.
1. On the **Finish** page, choose **Open the Edit Claim Rules dialog for this relying party trust when the wizard closes**.
1. On the context (right-click) menu, choose **Relying Party Trusts**.
1. For your relying party, open the context (right-click) menu and choose **Edit Claim Rules**. On the **Edit Claim Rules** page, choose **Add Rule**.
1. For **Claim rule template**, choose **Transform an Incoming Claim**, and then on the **Edit Rule – NameId **page, do the following:
+ For **Claim rule name**, enter **NameId**.
+ For **Incoming claim name**, choose **Windows Account Name**.
+ For **Outgoing claim name**, choose **Name ID**.
+ For **Outgoing name ID format**, choose **Persistent Identifier**.
+ Choose **Pass through all claim values**.
1. On the **Edit Claim Rules** page, choose **Add Rule**. On the **Select Rule Template** page, for **Claim rule template**, choose **Send LDAP Attributes as Claims**.
1. On the **Configure Rule** page, do the following:
+ For **Claim rule name**, enter **RoleSessionName**.
+ For **Attribute store**, choose **Active Directory**.
+ For **LDAP Attribute**, choose **Email Addresses**.
+ For **Outgoing Claim Type**, choose **https://aws.amazon.com/SAML/Attributes/RoleSessionName**.
1. On the **Edit Claim Rules** page, choose **Add Rule**. On the **Select Rule Template** page, for **Claim rule template**, choose **Send Claims Using a Custom Rule**.
1. On the **Edit Rule – Get AD Groups** page, for **Claim rule name**, enter **Get AD Groups**.
1. For **Custom rule**, enter the following.
```
c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer == "AD AUTHORITY"] => add(store = "Active Directory",
types = ("http://temp/variable"), query = ";tokenGroups;{0}",
param = c.Value);
```
1. On the **Edit Claim Rules** page, choose **Add Rule**. On the **Select Rule Template** page, for **Claim rule template**, choose **Send Claims Using a Custom Rule**.
1. On the **Edit Rule – Roles** page, for **Claim rule name**, type **Roles**.
1. For **Custom rule,** enter the following.
```
c:[Type == "http://temp/variable", Value =~ "(?i)^AWS-"] => issue(Type = "https://aws.amazon.com/SAML/Attributes/Role", Value = RegExReplace(c.Value, "AWS-", "arn:aws:iam::123456789012:saml-provider/ADFS,arn:aws:iam::123456789012:role/ADFS-"));
```
Note the ARNs of the SAML provider and role to assume. In this example, `arn:aws:iam:123456789012:saml-provider/ADFS` is the ARN of the SAML provider and `arn:aws:iam:123456789012:role/ADFS-` is the ARN of the role.
1. Make sure that you have downloaded the `federationmetadata.xml` file. Check that the document contents do not have invalid characters. This is the metadata file you use when configuring the trust relationship with AWS.
1. Create an IAM SAML identity provider on the IAM console. The metadata document. that you provide is the federation metadata XML file that you saved when you set up Azure Enterprise Application. For detailed steps, see [ Creating and Managing an IAM Identity Provider (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html#idp-manage-identityprovider-console) in the *IAM User Guide*.
1. Create an IAM role for SAML 2.0 federation on the IAM console. For detailed steps, see [Creating a Role for SAML](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html#idp_saml_Create) in the *IAM User Guide*.
1. Create an IAM policy that you can attach to the IAM role that you created for SAML 2.0 federation on the IAM console. For detailed steps, see [Creating IAM Policies (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-start) in the *IAM User Guide*. For an Azure AD example, see [Setting up JDBC or ODBC single sign-on authentication](setup-azure-ad-identity-provider.md).
## Step 2: Set up JDBC or ODBC for authentication to AD FS
------
#### [ JDBC ]
The following procedure describes how to set up a JDBC relationship to AD FS.
+ Configure your database client to connect to your cluster through JDBC using AD FS single sign-on.
You can use any client that uses a JDBC driver to connect using AD FS single sign-on or use a language like Java to connect using a script. For installation and configuration information, see [Configuring a connection for JDBC driver version 2.x for Amazon Redshift](jdbc20-install.md).
For example, you can use SQLWorkbench/J as the client. When you configure SQLWorkbench/J, the URL of your database uses the following format.
```
jdbc:redshift:iam://cluster-identifier:us-west-1/dev
```
If you use SQLWorkbench/J as the client, take the following steps:
1. Start SQL Workbench/J. In the **Select Connection Profile** page, add a **Profile Group**, for example **ADFS**.
1. For **Connection Profile**, enter your connection profile name, for example **ADFS**.
1. Choose **Manage Drivers**, and choose **Amazon Redshift**. Choose the **Open Folder** icon next to **Library**, then choose the appropriate JDBC .jar file.
1. On the **Select Connection Profile** page, add information to the connection profile as follows:
+ For **User**, enter your AD FS user name. This is the user name of the account that you are using for single sign-on that has permission to the cluster that you are trying to authenticate using.
+ For **Password**, enter your AD FS password.
+ For **Drivers**, choose **Amazon Redshift (com.amazon.redshift.jdbc.Driver)**.
+ For **URL**, enter **jdbc:redshift:iam://*your-cluster-identifier*:*your-cluster-region*/*your-database-name***.
1. Choose **Extended Properties**. For **plugin\$1name**, enter **com.amazon.redshift.plugin.AdfsCredentialsProvider**. This value specifies to the driver to use AD FS single sign-on as the authentication method.
------
#### [ ODBC ]
**To set up ODBC for authentication to AD FS**
+ Configure your database client to connect to your cluster through ODBC using AD FS single sign-on.
Amazon Redshift provides ODBC drivers for Linux, Windows, and macOS operating systems. Before you install an ODBC driver, determine whether your SQL client tool is 32-bit or 64-bit. Install the ODBC driver that matches the requirements of your SQL client tool.
On Windows, in the **Amazon Redshift ODBC Driver DSN Setup** page, under **Connection Settings**, enter the following information:
+ For **Data Source Name**, enter ***your-DSN***. This specifies the data source name used as the ODBC profile name.
+ For **Auth type**, choose **Identity Provider: SAML**. This is the authentication method that the ODBC driver uses to authenticate using AD FS single sign-on.
+ For **Cluster ID**, enter ***your-cluster-identifier***.
+ For **Region**, enter ***your-cluster-region***.
+ For **Database**, enter ***your-database-name***.
+ For **User**, enter ***your-adfs-username***. This is the user name for the AD FS account that you are using for single sign-on that has permission to the cluster that you're trying to authenticate using. Use this only for **Auth type** is **Identity Provider: SAML**.
+ For **Password**, enter ***your-adfs-password***. Use this only for **Auth type** is **Identity Provider: SAML**.
On macOS and Linux, edit the `odbc.ini` file as follows:
**Note**
All entries are case-insensitive.
+ For **clusterid**, enter ***your-cluster-identifier***. This is the name of the created Amazon Redshift cluster.
+ For **region**, enter ***your-cluster-region***. This is the AWS Region of the created Amazon Redshift cluster.
+ For **database**, enter ***your-database-name***. This is the name of the database that you're trying to access on the Amazon Redshift cluster.
+ For **locale**, enter **en-us**. This is the language that error messages display in.
+ For **iam**, enter **1**. This value specifies to the driver to authenticate using IAM credentials.
+ For **plugin\$1name**, do one of the following:
+ For AD FS single sign-on with MFA configuration, enter **BrowserSAML**. This is the authentication method that the ODBC driver uses to authenticate to AD FS.
+ For AD FS single sign-on configuration, enter **ADFS**. This is the authentication method that the ODBC driver uses to authenticate using Azure AD single sign-on.
+ For **uid**, enter ***your-adfs-username***. This is the user name of the Microsoft Azure account that you are using for single sign-on that has permission to the cluster you are trying to authenticate against. Use this only for **plugin\$1name** is **ADFS**.
+ For **pwd**, enter ***your-adfs-password***. Use this only for **plugin\$1name** is **ADFS**.
On macOS and Linux, also edit the profile settings to add the following exports.
```
export ODBCINI=/opt/amazon/redshift/Setup/odbc.ini
```
```
export ODBCINSTINI=/opt/amazon/redshift/Setup/odbcinst.ini
```
------
# Azure
You can use Microsoft Azure AD as an identity provider (IdP) to access your Amazon Redshift cluster. This tutorial shows you how you can use Azure as an identity provider (IdP) to access your Amazon Redshift cluster.
To learn how to federate Amazon Redshift access with Microsoft Azure AD single sign-on, watch the following video.
[](http://www.youtube.com/watch?v=https://www.youtube.com/embed/aXs9hEgJCss)
## Step 1: Set up Azure and your AWS account to trust each other
The following procedure describes how to set up a trust relationship.
**To set up Azure AD and your AWS account to trust each other**
1. Create or use an existing Amazon Redshift cluster for your Azure AD users to connect to. To configure the connection, certain properties of this cluster are needed, such as the cluster identifier. For more information, see [Creating a Cluster](https://docs.aws.amazon.com/redshift/latest/mgmt/create-cluster.html).
1. Set up an Azure Active Directory, groups, users used for AWS on the Microsoft Azure portal.
1. Add Amazon Redshift as an enterprise application on the Microsoft Azure portal to use for single sign-on to the AWS Console and federated login to Amazon Redshift. Choose **Enterprise application**.
1. Choose **\$1New application**. The Add an application page appears.
1. Search for **AWS** in the search field.
1. Choose **Amazon Web Services (AWS)** and choose **Add**. This creates the AWS application.
1. Under **Manage**, choose **Single sign-on**.
1. Choose **SAML**. The Amazon Web Services (AWS) \$1 SAML-based Sign-on page appears.
1. Choose **Yes** to proceed to the Set up Single Sign-On with SAML page. This page shows the list of pre-configured single sign-on related attributes.
1. For **Basic SAML Configuration**, choose the edit icon and choose **Save**.
1. When you are configuring for more than one application, provide an identifier value. For example, enter ***https://signin.aws.amazon.com/saml\$12***. Note that from the second application onwards, use this format with a \$1 sign to specify a unique SPN value.
1. In the **User Attributes and Claims** section, choose the edit icon.
By default, the Unique User Identifier (UID), Role, RoleSessionName, and SessionDuration claims are pre-configured.
1. Choose **\$1 Add new claim** to add a claim for database users.
For **Name**, enter **DbUser**.
For **Namespace**, enter **https://redshift.amazon.com/SAML/Attributes**.
For **Source**, choose **Attribute**.
For **Source attribute**, choose **user.userprincipalname**. Then, choose **Save**.
1. Choose **\$1 Add new claim** to add a claim for AutoCreate.
For **Name**, enter **AutoCreate**.
For **Namespace**, enter **https://redshift.amazon.com/SAML/Attributes**.
For **Source**, choose **Attribute**.
For **Source attribute**, choose **"true"**. Then, choose **Save**.
Here, `123456789012` is your AWS account, *`AzureSSO`* is an IAM role you created, and *`AzureADProvider`* is the IAM provider.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/setup-identity-provider-azure.html)
1. Under **App Registration > ***your-application-name*** > Authentication**, add **Mobile And Desktop Application**. Specify the URL as http://localhost/redshift/.
1. In the **SAML Signing Certificate** section, choose **Download** to download and save the federation metadata XML file for use when you create an IAM SAML identity provider. This file is used to create the single sign-on federated identity.
1. Create an IAM SAML identity provider on the IAM console. The metadata document that you provide is the federation metadata XML file that you saved when you set up Azure Enterprise Application. For detailed steps, see [Creating and Managing an IAM Identity Provider (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html#idp-manage-identityprovider-console) in the *IAM User Guide*.
1. Create an IAM role for SAML 2.0 federation on the IAM console. For detailed steps, see [ Creating a Role for SAML](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html#idp_saml_Create) in the *IAM User Guide*.
1. Create an IAM policy that you can attach to the IAM role that you created for SAML 2.0 federation on the IAM console. For detailed steps, see [Creating IAM Policies (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-start) in the *IAM User Guide*.
Modify the following policy (in JSON format) for your environment:
+ Substitute the AWS Region of your cluster for `us-west-1`.
+ Substitute your AWS account for *`123456789012`*.
+ Substitute your cluster identifier (or `*` for all clusters) for *`cluster-identifier`*.
+ Substitute your database (or `*` for all databases) for *`dev`*.
+ Substitute the unique identifier of your IAM role for *`AROAJ2UCCR6DPCEXAMPLE`*.
+ Substitute your tenant or company email domain for `example.com`.
+ Substitute the database group that you plan to assign the user to for *`my_dbgroup`*.
```
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "redshift:GetClusterCredentials",
"Resource": [
"arn:aws:redshift:us-west-1:123456789012:dbname:cluster-identifier/dev",
"arn:aws:redshift:us-west-1:123456789012:dbuser:cluster-identifier/${redshift:DbUser}",
"arn:aws:redshift:us-west-1:123456789012:cluster:cluster-identifier"
],
"Condition": {
"StringEquals": {
"aws:userid": "AROAJ2UCCR6DPCEXAMPLE:${redshift:DbUser}@example.com"
}
}
},
{
"Effect": "Allow",
"Action": "redshift:CreateClusterUser",
"Resource": "arn:aws:redshift:us-west-1:123456789012:dbuser:cluster-identifier/${redshift:DbUser}"
},
{
"Effect": "Allow",
"Action": "redshift:JoinGroup",
"Resource": "arn:aws:redshift:us-west-1:123456789012:dbgroup:cluster-identifier/my_dbgroup"
},
{
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters",
"iam:ListRoles"
],
"Resource": "*"
}
]
}
```
This policy grants permissions as follows:
+ The first section grants permission to the `GetClusterCredentials` API operation to get temporary credentials for the specified cluster. In this example, the resource is `cluster-identifier` with database *`dev`*, in account *`123456789012`*, and in AWS Region *`us-west-1`*. The `${redshift:DbUser}` clause allows only users that match the `DbUser` value specified in Azure AD to connect.
+ The condition clause enforces that only certain users get temporary credentials. These are users under the role specified by the role unique ID *`AROAJ2UCCR6DPCEXAMPLE`* in the IAM account identified by an email address in your company's email domain. For more information about unique IDs, see [Unique IDs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-unique-ids) in the *IAM User Guide*.
Your setup with your IdP (in this case, Azure AD) determines how the condition clause is written. If your employee's email is `johndoe@example.com`, first set `${redshift:DbUser}` to the super field that matches the employee's user name `johndoe`. Then, to make this condition work, set the AWS SAML `RoleSessionName` field to the super field that matches the employee’s email `johndoe@example.com`. When you take this approach, consider the following:
+ If you set `${redshift:DbUser}` to be the employee's email, then remove the `@example.com` in the example JSON to match the `RoleSessionName`.
+ If you set the `RoleSessionId` to be just the employee's user name, then remove the `@example.com` in the example to match the `RoleSessionName`.
+ In the example JSON, the `${redshift:DbUser}` and `RoleSessionName` are both set to the employee's email. This example JSON uses the Amazon Redshift database user name with `@example.com` to sign the user in to access the cluster.
+ The second section grants permission to create a `dbuser` name in the specified cluster. In this example JSON, it restricts creation to `${redshift:DbUser}`.
+ The third section grants permission to specify which `dbgroup` a user can join. In this example JSON, a user can join the `my_dbgroup` group in the specified cluster.
+ The fourth section grants permission to actions the user can do on all resources. In this example JSON, it allows users to call `redshift:DescribeClusters` to get cluster information such as the cluster endpoint, AWS Region, and port. It also allows users to call `iam:ListRoles` to check which roles a user can assume.
## Step 2: Set up JDBC or ODBC for authentication to Azure
------
#### [ JDBC ]
**To set up JDBC for authentication to Microsoft Azure AD**
+ Configure your database client to connect to your cluster through JDBC using your Azure AD single sign-on.
You can use any client that uses a JDBC driver to connect using Azure AD single sign-on or use a language like Java to connect using a script. For installation and configuration information, see [Configuring a connection for JDBC driver version 2.x for Amazon Redshift](jdbc20-install.md).
For example, you can use SQLWorkbench/J as the client. When you configure SQLWorkbench/J, the URL of your database uses the following format.
```
jdbc:redshift:iam://cluster-identifier:us-west-1/dev
```
If you use SQLWorkbench/J as the client, take the following steps:
1. Start SQL Workbench/J. On the **Select Connection Profile** page, add a **Profile Group** called **AzureAuth**.
1. For **Connection Profile**, enter **Azure**.
1. Choose **Manage Drivers**, and choose **Amazon Redshift**. Choose the **Open Folder** icon next to **Library**, then choose the appropriate JDBC .jar file.
1. On the **Select Connection Profile** page, add information to the connection profile as follows:
+ For **User**, enter your Microsoft Azure user name. This is the user name of the Microsoft Azure account that you are using for single sign-on that has permission to the cluster that you are trying to authenticate using.
+ For **Password**, enter your Microsoft Azure password.
+ For **Drivers**, choose **Amazon Redshift (com.amazon.redshift.jdbc.Driver)**.
+ For **URL**, enter **jdbc:redshift:iam://*your-cluster-identifier*:*your-cluster-region*/*your-database-name***.
1. Choose **Extended Properties** to add additional information to the connection properties, as described following.
For Azure AD single sign-on configuration, add additional information as follows:
+ For **plugin\$1name**, enter **com.amazon.redshift.plugin.AzureCredentialsProvider**. This value specifies to the driver to use Azure AD Single Sign-On as the authentication method.
+ For **idp\$1tenant**, enter ***your-idp-tenant***. Used only for Microsoft Azure AD. This is the tenant name of your company configured on Azure AD. This value can either be the tenant name or the tenant unique ID with hyphens.
+ For **client\$1secret**, enter ***your-azure-redshift-application-client-secret***. Used only for Microsoft Azure AD. This is your client secret of the Amazon Redshift application that you created when setting up your Azure Single Sign-On configuration. This is only applicable to the com.amazon.redshift.plugin.AzureCredentialsProvider plugin.
+ For **client\$1id**, enter ***your-azure-redshift-application-client-id***. Used only for Microsoft Azure AD. This is the client ID (with hyphens) of the Amazon Redshift application that you created when setting up your Azure Single Sign-On configuration.
For Azure AD single sign-on with MFA configuration, add additional information to the connection properties as follows:
+ For **plugin\$1name**, enter **com.amazon.redshift.plugin.BrowserAzureCredentialsProvider**. This value specifies to the driver to use Azure AD single sign-on with MFA as the authentication method.
+ For **idp\$1tenant**, enter ***your-idp-tenant***. Used only for Microsoft Azure AD. This is the tenant name of your company configured on Azure AD. This value can either be the tenant name or the tenant unique ID with hyphens.
+ For **client\$1id**, enter ***your-azure-redshift-application-client-id***. This option is used only for Microsoft Azure AD. This is the client ID (with hyphens) of the Amazon Redshift application that you created when setting up your Azure AD single sign-on with MFA configuration.
+ For **listen\$1port**, enter ***your-listen-port***. This is the port that local server is listening to. The default is 7890.
+ For **idp\$1response\$1timeout**, enter ***the-number-of-seconds***. This is the number of seconds to wait before timing out when the IdP server sends back a response. The minimum number of seconds must be 10. If establishing the connection takes longer than this threshold, then the connection is aborted.
------
#### [ ODBC ]
**To set up ODBC for authentication to Microsoft Azure AD**
+ Configure your database client to connect to your cluster through ODBC using your Azure AD single sign-on.
Amazon Redshift provides ODBC drivers for Linux, Windows, and macOS operating systems. Before you install an ODBC driver, determine whether your SQL client tool is 32-bit or 64-bit. Install the ODBC driver that matches the requirements of your SQL client tool.
On Windows, in the **Amazon Redshift ODBC Driver DSN Setup** page, under **Connection Settings**, enter the following information:
+ For **Data Source Name**, enter ***your-DSN***. This specifies the data source name used as the ODBC profile name.
+ For **Auth type** for Azure AD single sign-on configuration, choose **Identity Provider: Azure AD**. This is the authentication method that the ODBC driver uses to authenticate using Azure single sign-on.
+ For **Auth type** for Azure AD single sign-on with MFA configuration, choose **Identity Provider: Browser Azure AD**. This is the authentication method that the ODBC driver uses to authenticate using Azure single sign-on with MFA.
+ For **Cluster ID**, enter ***your-cluster-identifier***.
+ For **Region**, enter ***your-cluster-region***.
+ For **Database**, enter ***your-database-name***.
+ For **User**, enter ***your-azure-username***. This is the user name for the Microsoft Azure account that you are using for single sign-on that has permission to the cluster that you're trying to authenticate using. Use this only for **Auth Type** is **Identity Provider: Azure AD**.
+ For **Password**, enter ***your-azure-password***. Use this only for **Auth Type** is **Identity Provider: Azure AD**.
+ For **IdP Tenant**, enter ***your-idp-tenant***. This is the tenant name of your company configured on your IdP (Azure). This value can either be the tenant name or the tenant unique ID with hyphens.
+ For **Azure Client Secret**, enter ***your-azure-redshift-application-client-secret***. This is the client secret of the Amazon Redshift application that you created when setting up your Azure single sign-on configuration.
+ For **Azure Client ID**, enter ***your-azure-redshift-application-client-id***. This is the client ID (with hyphens) of the Amazon Redshift application that you created when setting up your Azure single sign-on configuration.
+ For **Listen Port**, enter ***your-listen-port***. This is the default listen port that local server is listening to. The default is 7890. This applies only to the Browser Azure AD plugin.
+ For **Response Timeout**, enter ***the-number-of-seconds***. This is the number of seconds to wait before timing out when the IdP server sends back a response. The minimum number of seconds must be 10. If establishing the connection takes longer than this threshold, then the connection is aborted. This option applies only to the Browser Azure AD plugin.
On macOS and Linux, edit the `odbc.ini` file as follows:
**Note**
All entries are case-insensitive.
+ For **clusterid**, enter ***your-cluster-identifier***. This is the name of the created Amazon Redshift cluster.
+ For **region**, enter ***your-cluster-region***. This is the AWS Region of the created Amazon Redshift cluster.
+ For **database**, enter ***your-database-name***. This is the name of the database that you're trying to access on the Amazon Redshift cluster.
+ For **locale**, enter **en-us**. This is the language that error messages display in.
+ For **iam**, enter **1**. This value specifies to the driver to authenticate using IAM credentials.
+ For **plugin\$1name** for Azure AD single sign-on configuration, enter **AzureAD**. This specifies to the driver to use Azure Single Sign-On as the authentication method.
+ For **plugin\$1name** for Azure AD single sign-on with MFA configuration, enter **BrowserAzureAD**. This specifies to the driver to use Azure Single Sign-On with MFA as the authentication method.
+ For **uid**, enter ***your-azure-username***. This is the user name of the Microsoft Azure account you are using for single sign-on that has permission to the cluster you are trying to authenticate against. Use this only for **plugin\$1name** is **AzureAD**.
+ For **pwd**, enter ***your-azure-password***. Use this only for **plugin\$1name** is **AzureAD**.
+ For **idp\$1tenant**, enter ***your-idp-tenant***. This is the tenant name of your company configured on your IdP (Azure). This value can either be the tenant name or the tenant unique ID with hyphens.
+ For **client\$1secret**, enter ***your-azure-redshift-application-client-secret***. This is the client secret of the Amazon Redshift application that you created when setting up your Azure single sign-on configuration.
+ For **client\$1id**, enter ***your-azure-redshift-application-client-id***. This is the client ID (with hyphens) of the Amazon Redshift application that you created when setting up your Azure single sign-on configuration.
+ For **listen\$1port**, enter ***your-listen-port***. This is the port that local server is listening to. The default is 7890. This applies to the Browser Azure AD plugin.
+ For **idp\$1response\$1timeout**, enter ***the-number-of-seconds***. This is the specified period of time in seconds to wait for response from Azure. This option applies to the Browser Azure AD plugin.
On macOS and Linux, also edit the profile settings to add the following exports.
```
export ODBCINI=/opt/amazon/redshift/Setup/odbc.ini
```
```
export ODBCINSTINI=/opt/amazon/redshift/Setup/odbcinst.ini
```
------
## Troubleshooting
To troubleshoot issues with the Browser Azure AD plugin, consider the following.
+ To use the Browser Azure AD plugin, you must set the reply URL specified in the request to match the reply URL configured for your application. Navigate to the **Set up Single Sign-On with SAML** page on the Microsoft Azure portal. Then check the **Reply URL** is set to http://localhost/redshift/.
+ If you get an IdP tenant error, verify that the **IdP Tenant** name matches the domain name you initially used to set up the Active Directory in Microsoft Azure.
On Windows, navigate to the **Connection Settings** section of the **Amazon Redshift ODBC DSN Setup** page. Then check the tenant name of your company configured on your IdP (Azure) matches the domain name you initially used to set up the Active Directory in Microsoft Azure.
On macOS and Linux, find the *odbc.ini* file. Then check the tenant name of your company configured on your IdP (Azure) matches the domain name you initially used to set up the Active Directory in Microsoft Azure.
+ If you get an error that the reply URL specified in the request does not match the reply URLs configured for your application, verify that the **Redirect URIs** is the same as the reply URL.
Navigate to the **App registration** page of your application on the Microsoft Azure portal. Then check the Redirect URIs matches the reply URL.
+ If you get the unexpected response: unauthorized error, verify that you completed the **Mobile and desktop applications** configuration.
Navigate to the ** App registration** page of your application on the Microsoft Azure portal. Then navigate to **Authentication** and check that you configured **Mobile and desktop applications** to use http://localhost/redshift/ as the redirect URIs.
# Ping Identity
You can use Ping Identity as an identity provider (IdP) to access your Amazon Redshift cluster. This tutorial shows you how you can use Ping Identity as an identity provider (IdP) to access your Amazon Redshift cluster.
## Step 1: Set up Ping Identity and your AWS account to trust each other
The following procedure describes how to set up a trust relationship using the PingOne portal.
**To set up Ping Identity and your AWS account to trust each other**
1. Create or use an existing Amazon Redshift cluster for your Ping Identity users to connect to. To configure the connection, certain properties of this cluster are needed, such as the cluster identifier. For more information, see [Creating a Cluster](https://docs.aws.amazon.com/redshift/latest/mgmt/create-cluster.html).
1. Add Amazon Redshift as a new SAML application on the PingOne portal. For detailed steps, see the [Ping Identity documentation](https://docs.pingidentity.com/).
1. Go to **My Applications**.
1. Under **Add Application**, choose **New SAML Application**.
1. For **Application Name**, enter **Amazon Redshift**.
1. For **Protocol Version**, choose **SAML v2.0**.
1. For **Category**, choose ***your-application-category***.
1. For **Assertion Consumer Service (ACS)**, type ***your-redshift-local-host-url***. This is the local host and port that the SAML assertion redirects to.
1. For **Entity ID**, enter `urn:amazon:webservices`.
1. For **Signing**, choose **Sign Assertion**.
1. In the **SSO Attribute Mapping** section, create the claims as shown in the following table.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/setup-identity-provider-ping.html)
1. For **Group Access**, set up the following group access, if needed:
+ **https://aws.amazon.com/SAML/Attributes/Role**
+ **https://aws.amazon.com/SAML/Attributes/RoleSessionName**
+ **https://redshift.amazon.com/SAML/Attributes/AutoCreate**
+ **https://redshift.amazon.com/SAML/Attributes/DbUser**
1. Review your setup and make changes, if necessary.
1. Use the **Initiate Single Sign-On (SSO) URL** as the login URL for the Browser SAML plugin.
1. Create an IAM SAML identity provider on the IAM console. The metadata document that you provide is the federation metadata XML file that you saved when you set up Ping Identity. For detailed steps, see [ Creating and Managing an IAM Identity Provider (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html#idp-manage-identityprovider-console) in the *IAM User Guide*.
1. Create an IAM role for SAML 2.0 federation on the IAM console. For detailed steps, see [ Creating a Role for SAML](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html#idp_saml_Create) in the *IAM User Guide*.
1. Create an IAM policy that you can attach to the IAM role that you created for SAML 2.0 federation on the IAM console. For detailed steps, see [Creating IAM Policies (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-start) in the *IAM User Guide*. For an Azure AD example, see [Setting up JDBC or ODBC single sign-on authentication](setup-azure-ad-identity-provider.md).
## Step 2: Set up JDBC or ODBC for authentication to Ping Identity
------
#### [ JDBC ]
**To set up JDBC for authentication to Ping Identity**
+ Configure your database client to connect to your cluster through JDBC using Ping Identity single sign-on.
You can use any client that uses a JDBC driver to connect using Ping Identity single sign-on or use a language like Java to connect using a script. For installation and configuration information, see [Configuring a connection for JDBC driver version 2.x for Amazon Redshift](jdbc20-install.md).
For example, you can use SQLWorkbench/J as the client. When you configure SQLWorkbench/J, the URL of your database uses the following format.
```
jdbc:redshift:iam://cluster-identifier:us-west-1/dev
```
If you use SQLWorkbench/J as the client, take the following steps:
1. Start SQL Workbench/J. In the **Select Connection Profile** page, add a **Profile Group**, for example **Ping**.
1. For **Connection Profile**, enter ***your-connection-profile-name***, for example **Ping**.
1. Choose **Manage Drivers**, and choose **Amazon Redshift**. Choose the **Open Folder** icon next to **Library**, then choose the appropriate JDBC .jar file.
1. On the **Select Connection Profile** page, add information to the connection profile as follows:
+ For **User**, enter your PingOne user name. This is the user name of the PingOne account that you are using for single sign-on that has permission to the cluster that you are trying to authenticate using.
+ For **Password**, enter your PingOne password.
+ For **Drivers**, choose **Amazon Redshift (com.amazon.redshift.jdbc.Driver)**.
+ For **URL**, enter **jdbc:redshift:iam://*your-cluster-identifier*:*your-cluster-region*/*your-database-name***.
1. Choose **Extended Properties** and do one of the following:
+ For **login\$1url**, enter ***your-ping-sso-login-url***. This value specifies to the URL to use single sign-on as the authentication to log in.
+ For Ping Identity, for **plugin\$1name**, enter **com.amazon.redshift.plugin.PingCredentialsProvider**. This value specifies to the driver to use Ping Identity single sign-on as the authentication method.
+ For Ping Identity with single sign-on, for **plugin\$1name**, enter **com.amazon.redshift.plugin.BrowserSamlCredentialsProvider**. This value specifies to the driver to use Ping Identity PingOne with single sign-on as the authentication method.
------
#### [ ODBC ]
**To set up ODBC for authentication to Ping Identity**
+ Configure your database client to connect to your cluster through ODBC using Ping Identity PingOne single sign-on.
Amazon Redshift provides ODBC drivers for Linux, Windows, and macOS operating systems. Before you install an ODBC driver, determine whether your SQL client tool is 32-bit or 64-bit. Install the ODBC driver that matches the requirements of your SQL client tool.
On Windows, in the **Amazon Redshift ODBC Driver DSN Setup** page, under **Connection Settings**, enter the following information:
+ For **Data Source Name**, enter ***your-DSN***. This specifies the data source name used as the ODBC profile name.
+ For **Auth type**, do one of the following:
+ For Ping Identity configuration, choose **Identity Provider: Ping Federate**. This is the authentication method that the ODBC driver uses to authenticate using Ping Identity single sign-on.
+ For Ping Identity with single sign-on configuration, choose **Identity Provider: Browser SAML**. This is the authentication method that the ODBC driver uses to authenticate using Ping Identity with single sign-on.
+ For **Cluster ID**, enter ***your-cluster-identifier***.
+ For **Region**, enter ***your-cluster-region***.
+ For **Database**, enter ***your-database-name***.
+ For **User**, enter ***your-ping-username***. This is the user name for the PingOne account that you are using for single sign-on that has permission to the cluster that you're trying to authenticate using. Use this only for **Auth type** is **Identity Provider: PingFederate**.
+ For **Password**, enter ***your-ping-password***. Use this only for **Auth type** is **Identity Provider: PingFederate**.
+ For **Listen Port**, enter ***your-listen-port***. This is the port that local server is listening to. The default is 7890. This applies only to the Browser SAML plugin.
+ For **Response Timeout**, enter ***the-number-of-seconds***. This is the number of seconds to wait before timing out when the IdP server sends back a response. The minimum number of seconds must be 10. If establishing the connection takes longer than this threshold, then the connection is aborted. This applies only to the Browser SAML plugin.
+ For **Login URL**, enter ***your-login-url***. This applies only to the Browser SAML plugin.
On macOS and Linux, edit the `odbc.ini` file as follows:
**Note**
All entries are case-insensitive.
+ For **clusterid**, enter ***your-cluster-identifier***. This is the name of the created Amazon Redshift cluster.
+ For **region**, enter ***your-cluster-region***. This is the AWS Region of the created Amazon Redshift cluster.
+ For **database**, enter ***your-database-name***. This is the name of the database that you're trying to access on the Amazon Redshift cluster.
+ For **locale**, enter **en-us**. This is the language that error messages display in.
+ For **iam**, enter **1**. This value specifies to the driver to authenticate using IAM credentials.
+ For **plugin\$1name**, do one of the following:
+ For Ping Identity configuration, enter **BrowserSAML**. This is the authentication method that the ODBC driver uses to authenticate to Ping Identity.
+ For Ping Identity with single sign-on configuration, enter **Ping**. This is the authentication method that the ODBC driver uses to authenticate using Ping Identity with single sign-on.
+ For **uid**, enter ***your-ping-username***. This is the user name of the Microsoft Azure account you are using for single sign-on that has permission to the cluster you are trying to authenticate against. Use this only for **plugin\$1name** is **Ping**.
+ For **pwd**, enter ***your-ping-password***. Use this only for **plugin\$1name** is **Ping**.
+ For **login\$1url**, enter ***your-login-url***. This is the Initiate single sign-on URL that returns the SAML Response. This applies only to the Browser SAML plugin.
+ For **idp\$1response\$1timeout**, enter ***the-number-of-seconds***. This is the specified period of time in seconds to wait for response from PingOne Identity. This applies only to the Browser SAML plugin.
+ For **listen\$1port**, enter ***your-listen-port***. This is the port that local server is listening to. The default is 7890. This applies only to the Browser SAML plugin.
On macOS and Linux, also edit the profile settings to add the following exports.
```
export ODBCINI=/opt/amazon/redshift/Setup/odbc.ini
```
```
export ODBCINSTINI=/opt/amazon/redshift/Setup/odbcinst.ini
```
------
# Okta
You can use Okta as an identity provider (IdP) to access your Amazon Redshift cluster. This tutorial shows you how you can use Okta as an identity provider (IdP) to access your Amazon Redshift cluster.
## Step 1: Set up Okta and your AWS account to trust each other
The following procedure describes how to set up a trust relationship.
**To set up Okta and your AWS account to trust each other**
1. Create or use an existing Amazon Redshift cluster for your Okta users to connect to. To configure the connection, certain properties of this cluster are needed, such as the cluster identifier. For more information, see [Creating a Cluster](https://docs.aws.amazon.com/redshift/latest/mgmt/create-cluster.html).
1. Add Amazon Redshift as a new application on the Okta portal. For detailed steps, see the [Okta documentation](https://developer.okta.com/docs/).
+ Choose **Add Application**.
+ Under **Add Application**, choose **Create New App**.
+ On the **Create a New Add Application Integration** page, for **Platform**, choose **Web**.
+ For **Sign on method**, choose **SAML v2.0**.
+ On the **General Settings** page, for **App name**, enter ***your-redshift-saml-sso-name***. This is the name of your application.
+ On the **SAML Settings** page, for **Single sign on URL**, enter ***your-redshift-local-host-url***. This is the local host and port that the SAML assertion redirects to, for example `http://localhost:7890/redshift/`.
1. Use the **Single sign on URL** value as the **Recipient URL** and **Destination URL**.
1. For **Signing**, choose **Sign Assertion**.
1. For **Audience URI (SP Entity ID)**, enter **urn:amazon:webservices** for the claims, as shown in the following table.
1. In the **Advanced Settings** section, for **SAML Issuer ID**, enter ***your-Identity-Provider-Issuer-ID***, which you can find in the **View Setup Instructions** section.
1. In the **Attribute Statements** section, create the claims as shown in the following table.
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/setup-identity-provider-okta.html)
1. In the **App Embed Link** section, find the URL that you can use as the login URL for the Browser SAML plugin.
1. Create an IAM SAML identity provider on the IAM console. The metadata document that you provide is the federation metadata XML file that you saved when you set up Okta. For detailed steps, see [ Creating and Managing an IAM Identity Provider (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html#idp-manage-identityprovider-console) in the *IAM User Guide*.
1. Create an IAM role for SAML 2.0 federation on the IAM console. For detailed steps, see [ Creating a Role for SAML](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html#idp_saml_Create) in the *IAM User Guide*.
1. Create an IAM policy that you can attach to the IAM role that you created for SAML 2.0 federation on the IAM console. For detailed steps, see [Creating IAM Policies (Console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-start) in the *IAM User Guide*. For an Azure AD example, see [Setting up JDBC or ODBC single sign-on authentication](setup-azure-ad-identity-provider.md).
## Step 2: Set up JDBC or ODBC for authentication to Okta
------
#### [ JDBC ]
**To set up JDBC for authentication to Okta**
+ Configure your database client to connect to your cluster through JDBC using Okta single sign-on.
You can use any client that uses a JDBC driver to connect using Okta single sign-on or use a language like Java to connect using a script. For installation and configuration information, see [Configuring a connection for JDBC driver version 2.x for Amazon Redshift](jdbc20-install.md).
For example, you can use SQLWorkbench/J as the client. When you configure SQLWorkbench/J, the URL of your database uses the following format.
```
jdbc:redshift:iam://cluster-identifier:us-west-1/dev
```
If you use SQLWorkbench/J as the client, take the following steps:
1. Start SQL Workbench/J. In the **Select Connection Profile** page, add a **Profile Group**, for example **Okta**.
1. For **Connection Profile**, enter ***your-connection-profile-name***, for example **Okta**.
1. Choose **Manage Drivers**, and choose **Amazon Redshift**. Choose the **Open Folder** icon next to **Library**, then choose the appropriate JDBC .jar file.
1. On the **Select Connection Profile** page, add information to the connection profile as follows:
+ For **User**, enter your Okta user name. This is the user name of the Okta account that you are using for single sign-on that has permission to the cluster that you are trying to authenticate using.
+ For **Password**, enter your Okta password.
+ For **Drivers**, choose **Amazon Redshift (com.amazon.redshift.jdbc.Driver)**.
+ For **URL**, enter **jdbc:redshift:iam://*your-cluster-identifier*:*your-cluster-region*/*your-database-name***.
1. Choose **Extended Properties** and do one of the following:
+ For **login\$1url**, enter ***your-okta-sso-login-url***. This value specifies to the URL to use single sign-on as the authentication to log in to Okta.
+ For Okta single sign-on, for **plugin\$1name**, enter **com.amazon.redshift.plugin.OktaCredentialsProvider**. This value specifies to the driver to use Okta single sign-on as the authentication method.
+ For Okta single sign-on with MFA, for **plugin\$1name**, enter **com.amazon.redshift.plugin.BrowserSamlCredentialsProvider**. This value specifies to the driver to use Okta single sign-on with MFA as the authentication method.
------
#### [ ODBC ]
**To set up ODBC for authentication to Okta**
+ Configure your database client to connect to your cluster through ODBC using Okta single sign-on.
Amazon Redshift provides ODBC drivers for Linux, Windows, and macOS operating systems. Before you install an ODBC driver, determine whether your SQL client tool is 32-bit or 64-bit. Install the ODBC driver that matches the requirements of your SQL client tool.
On Windows, in the **Amazon Redshift ODBC Driver DSN Setup** page, under **Connection Settings**, enter the following information:
+ For **Data Source Name**, enter ***your-DSN***. This specifies the data source name used as the ODBC profile name.
+ For **Auth type**, do one of the following:
+ For Okta single sign-on configuration, choose **Identity Provider: Okta**. This is the authentication method that the ODBC driver uses to authenticate using Okta single sign-on.
+ For Okta single sign-on with MFA configuration, choose **Identity Provider: Browser SAML**. This is the authentication method that the ODBC driver uses to authenticate using Okta single sign-on with MFA.
+ For **Cluster ID**, enter ***your-cluster-identifier***.
+ For **Region**, enter ***your-cluster-region***.
+ For **Database**, enter ***your-database-name***.
+ For **User**, enter ***your-okta-username***. This is the user name for the Okta account that you are using for single sign-on that has permission to the cluster that you're trying to authenticate using. Use this only for **Auth type** is **Identity Provider: Okta**.
+ For **Password**, enter ***your-okta-password***. Use this only for **Auth type** is **Identity Provider: Okta**.
On macOS and Linux, edit the `odbc.ini` file as follows:
**Note**
All entries are case-insensitive.
+ For **clusterid**, enter ***your-cluster-identifier***. This is the name of the created Amazon Redshift cluster.
+ For **region**, enter ***your-cluster-region***. This is the AWS Region of the created Amazon Redshift cluster.
+ For **database**, enter ***your-database-name***. This is the name of the database that you're trying to access on the Amazon Redshift cluster.
+ For **locale**, enter **en-us**. This is the language that error messages display in.
+ For **iam**, enter **1**. This value specifies to the driver to authenticate using IAM credentials.
+ For **plugin\$1name**, do one of the following:
+ For Okta single sign-on with MFA configuration, enter **BrowserSAML**. This is the authentication method that the ODBC driver uses to authenticate to Okta single sign-on with MFA.
+ For Okta single sign-on configuration, enter **Okta**. This is the authentication method that the ODBC driver uses to authenticate using Okta single sign-on.
+ For **uid**, enter ***your-okta-username***. This is the user name of the Okta account you are using for single sign-on that has permission to the cluster you are trying to authenticate against. Use this only for **plugin\$1name** is **Okta**.
+ For **pwd**, enter ***your-okta-password***. Use this only for **plugin\$1name** is **Okta**.
+ For **login\$1url**, enter ***your-login-url***. This is the Initiate single sign-on URL that returns the SAML Response. This applies only to the Browser SAML plugin.
+ For **idp\$1response\$1timeout**, enter ***the-number-of-seconds***. This is the specified period of time in seconds to wait for response from PingOne. This applies only to the Browser SAML plugin.
+ For **listen\$1port**, enter ***your-listen-port***. This is the port that local server is listening to. The default is 7890. This applies only to the Browser SAML plugin.
On macOS and Linux, also edit the profile settings to add the following exports.
```
export ODBCINI=/opt/amazon/redshift/Setup/odbc.ini
```
```
export ODBCINSTINI=/opt/amazon/redshift/Setup/odbcinst.ini
```
------
# Authorizing Amazon Redshift to access AWS services on your behalf
Some Amazon Redshift features require Amazon Redshift to access other AWS services on your behalf. For example, the [COPY](https://docs.aws.amazon.com/redshift/latest/dg/r_COPY.html) and [UNLOAD](https://docs.aws.amazon.com/redshift/latest/dg/r_UNLOAD.html) commands can load or unload data into your Amazon Redshift cluster using an Amazon S3 bucket. The [CREATE EXTERNAL FUNCTION](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html) command can invoke an AWS Lambda function using a scalar Lambda user-defined function (UDF). Amazon Redshift Spectrum can use a data catalog in Amazon Athena or AWS Glue. For your Amazon Redshift clusters to act on your behalf, you supply security credentials to your clusters. The preferred method to supply security credentials is to specify an AWS Identity and Access Management (IAM) role. For COPY and UNLOAD, you can provide temporary credentials.
Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS.
To grant users programmatic access, choose one of the following options.
****
| Which user needs programmatic access? | To | By |
| --- | --- | --- |
| IAM | (Recommended) Use console credentials as temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html) |
| Workforce identity (Users managed in IAM Identity Center) | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html) |
| IAM | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions in [Using temporary credentials with AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the IAM User Guide. |
| IAM | (Not recommended)Use long-term credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/authorizing-redshift-service.html) |
Following, find out how to create an IAM role with the appropriate permissions to access other AWS services. You also need to associate the role with your cluster and specify the Amazon Resource Name (ARN) of the role when you run the Amazon Redshift command. For more information, see [Authorizing COPY, UNLOAD, CREATE EXTERNAL FUNCTION, and CREATE EXTERNAL SCHEMA operations using IAM rolesAuthorizing operations using IAM roles](copy-unload-iam-role.md).
In addition, a superuser can grant the ASSUMEROLE privilege to specific users and groups to provide access to a role for COPY and UNLOAD operations. For information, see [GRANT](https://docs.aws.amazon.com/redshift/latest/dg/r_GRANT.html) in the *Amazon Redshift Database Developer Guide*.
## Creating an IAM role to allow your Amazon Redshift cluster to access AWS services
## Creating an IAM role with permissions
To create an IAM role to permit your Amazon Redshift cluster to communicate with other AWS services on your behalf, take the following steps. The values used in this section are examples, you can choose values based on your needs.
**To create an IAM role to allow Amazon Redshift to access AWS services**
1. Open the [IAM console](https://console.aws.amazon.com/iam/home?#home).
1. In the navigation pane, choose **Roles**.
1. Choose **Create role**.
1. Choose **AWS service**, and then choose **Redshift**.
1. Under **Select your use case**, choose **Redshift - Customizable** and then choose **Next: Permissions**. The **Attach permissions policy** page appears.
1. For access to Amazon S3 using COPY, as an example, you can use **AmazonS3ReadOnlyAccess** and append. For access to Amazon S3 using COPY or UNLOAD, we suggest that you can create managed policies that restrict access to the desired bucket and prefix accordingly. For both read and write operations, we recommend enforcing the least privileges and restricting to only the Amazon S3 buckets and key prefixes that Amazon Redshift requires.
For access to invoke Lambda functions for the CREATE EXTERNAL FUNCTION command, add **AWSLambdaRole**.
For Redshift Spectrum, in addition to Amazon S3 access, add **AWSGlueConsoleFullAccess** or **AmazonAthenaFullAccess**.
Choose **Next: Tags**.
1. The **Add tags** page appears. You can optionally add tags. Choose **Next: Review**.
1. For **Role name**, type a name for your role, for example **RedshiftCopyUnload**. Choose ****Create role****.
1. The new role is available to all users on clusters that use the role. To restrict access to only specific users on specific clusters, or to clusters in specific regions, edit the trust relationship for the role. For more information, see [Restricting access to IAM roles](authorizing-redshift-service-database-users.md).
1. Associate the role with your cluster. You can associate an IAM role with a cluster when you create the cluster, or you add the role to an existing cluster. For more information, see [Associating IAM roles with clusters](copy-unload-iam-role-associating-with-clusters.md).
**Note**
To restrict access to specific data, use an IAM role that grants the least privileges required.
# Restricting access to IAM roles
By default, IAM roles that are available to an Amazon Redshift cluster are available to all users on that cluster. You can choose to restrict IAM roles to specific Amazon Redshift database users on specific clusters or to specific regions.
To permit only specific database users to use an IAM role, take the following steps.
**To identify specific database users with access to an IAM role**
1. Identify the Amazon Resource Name (ARN) for the database users in your Amazon Redshift cluster. The ARN for a database user is in the format: `arn:aws:redshift:region:account-id:dbuser:cluster-name/user-name`.
For Amazon Redshift Serverless use the following ARN format. `arn:aws:redshift:region:account-id:dbuser:serverless-account-id-workgroup-id/user-name`
1. Open the [IAM console](https://console.aws.amazon.com/iam/home?#home).
1. In the navigation pane, choose **Roles**.
1. Choose the IAM role that you want to restrict to specific Amazon Redshift database users.
1. Choose the **Trust Relationships** tab, and then choose **Edit Trust Relationship**. A new IAM role that allows Amazon Redshift to access other AWS services on your behalf has a trust relationship as follows:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "redshift.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. Add a condition to the `sts:AssumeRole` action section of the trust relationship that limits the `sts:ExternalId` field to values that you specify. Include an ARN for each database user that you want to grant access to the role. The external ID can be any unique string.
For example, the following trust relationship specifies that only database users `user1` and `user2` on cluster `my-cluster` in region `us-west-2` have permission to use this IAM role.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "redshift.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": [
"arn:aws:redshift:us-west-2:123456789012:dbuser:my-cluster/user1",
"arn:aws:redshift:us-west-2:123456789012:dbuser:my-cluster/user2"
]
}
}
}]
}
```
------
1. Choose **Update Trust Policy**.
# Restricting an IAM role to an AWS Region
You can restrict an IAM role to only be accessible in a certain AWS Region. By default, IAM roles for Amazon Redshift are not restricted to any single region.
To restrict use of an IAM role by region, take the following steps.
**To identify permitted regions for an IAM role**
1. Open the [IAM console](https://console.aws.amazon.com/iam/home?#home) at [https://console.aws.amazon.com/](https://console.aws.amazon.com/).
1. In the navigation pane, choose **Roles**.
1. Choose the role that you want to modify with specific regions.
1. Choose the **Trust Relationships** tab and then choose **Edit Trust Relationship**. A new IAM role that allows Amazon Redshift to access other AWS services on your behalf has a trust relationship as follows:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "redshift.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. Modify the `Service` list for the `Principal` with the list of the specific regions that you want to permit use of the role for. Each region in the `Service` list must be in the following format: `redshift.region.amazonaws.com`.
For example, the following edited trust relationship permits the use of the IAM role in the `us-east-1` and `us-west-2` regions only.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"redshift.us-east-1.amazonaws.com",
"redshift.us-west-2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
```
------
1. Choose **Update Trust Policy**
# Chaining IAM roles in Amazon Redshift
When you attach a role to your cluster, your cluster can assume that role to access Amazon S3, Amazon Athena, AWS Glue, and AWS Lambda on your behalf. If a role attached to your cluster doesn't have access to the necessary resources, you can chain another role, possibly belonging to another account. Your cluster then temporarily assumes the chained role to access the data. You can also grant cross-account access by chaining roles. Each role in the chain assumes the next role in the chain, until the cluster assumes the role at the end of chain. The maximum number of IAM roles that you can associate is subject to a quota. For more information, see the quota "Cluster IAM roles for Amazon Redshift to access other AWS services" in [Quotas for Amazon Redshift objects](amazon-redshift-limits.md#amazon-redshift-limits-quota).
**Note**
You must specify the IAM roles in order for the chain to work correctly.
For example, suppose Company A wants to access data in an Amazon S3 bucket that belongs to Company B. Company A creates an AWS service role for Amazon Redshift named `RoleA` and attaches it to their cluster. Company B creates a role named `RoleB` that's authorized to access the data in the Company B bucket. To access the data in the Company B bucket, Company A runs a COPY command using an `iam_role` parameter that chains `RoleA` and `RoleB`. For the duration of the COPY operation, `RoleA` temporarily assumes `RoleB` to access the Amazon S3 bucket.
To chain roles, you establish a trust relationship between the roles. A role that assumes another role (for example, `RoleA`) must have a permissions policy that allows it to assume the next chained role (for example, `RoleB`). In turn, the role that passes permissions (`RoleB`) must have a trust policy that allows it to pass its permissions to the previous chained role (`RoleA`). For more information, see [Using IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the IAM User Guide.
The first role in the chain must be a role attached to the cluster. The first role, and each subsequent role that assumes the next role in the chain, must have a policy that includes a specific statement. This statement has the `Allow` effect on the `sts:AssumeRole `action and the Amazon Resource Name (ARN) of the next role in a `Resource` element. In our example, `RoleA` has the following permission policy that allows it to assume `RoleB`, owned by AWS account `210987654321`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "Stmt1487639602000",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::111122223333:role/RoleB"
}
]
}
```
------
A role that passes to another role must establish a trust relationship with the role that assumes the role or with the AWS account that owns the role. In our example, `RoleB` has the following trust policy to establish a trust relationship with `RoleA`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/RoleA"
}
}
]
}
```
------
The following trust policy establishes a trust relationship with the owner of `RoleA`, AWS account `123456789012`.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
}
}
]
}
```
------
**Note**
To restrict role chaining authorization to specific users, define a condition. For more information, see [Restricting access to IAM roles](authorizing-redshift-service-database-users.md).
When you run an UNLOAD, COPY, CREATE EXTERNAL FUNCTION, or CREATE EXTERNAL SCHEMA command, you chain roles by including a comma-separated list of role ARNs in the `iam_role` parameter. The following shows the syntax for chaining roles in the `iam_role` parameter.
```
unload ('select * from venue limit 10')
to 's3://acmedata/redshift/venue_pipe_'
IAM_ROLE 'arn:aws:iam:::role/[,arn:aws:iam:::role/][,...]';
```
**Note**
The entire role chain is enclosed in single quotes and must not contain spaces.
In the following examples, `RoleA` is attached to the cluster belonging to AWS account `123456789012`. `RoleB`, which belongs to account `210987654321`, has permission to access the bucket named `s3://companyb/redshift/`. The following example chains `RoleA` and `RoleB` to UNLOAD data to the s3://companyb/redshift/ bucket.
```
unload ('select * from venue limit 10')
to 's3://companyb/redshift/venue_pipe_'
iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';
```
The following example uses a COPY command to load the data that was unloaded in the previous example.
```
copy venue
from 's3://companyb/redshift/venue_pipe_'
iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';
```
In the following example, CREATE EXTERNAL SCHEMA uses chained roles to assume the role `RoleB`.
```
create external schema spectrumexample from data catalog
database 'exampledb' region 'us-west-2'
iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';
```
In the following example, CREATE EXTERNAL FUNCTION uses chained roles to assume the role `RoleB`.
```
create external function lambda_example(varchar)
returns varchar
volatile
lambda 'exampleLambdaFunction'
iam_role 'arn:aws:iam::123456789012:role/RoleA,arn:aws:iam::210987654321:role/RoleB';
```
# Authorizing COPY, UNLOAD, CREATE EXTERNAL FUNCTION, and CREATE EXTERNAL SCHEMA operations using IAM roles
You can use the [COPY](https://docs.aws.amazon.com/redshift/latest/dg/r_COPY.html) command to load (or import) data into Amazon Redshift and the [UNLOAD](https://docs.aws.amazon.com/redshift/latest/dg/r_UNLOAD.html) command to unload (or export) data from Amazon Redshift. You can use the CREATE EXTERNAL FUNCTION command to create user-defined functions that invoke functions from AWS Lambda.
When you use Amazon Redshift Spectrum, you use the [CREATE EXTERNAL SCHEMA](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_SCHEMA.html) command to specify the location of an Amazon S3 bucket that contains your data. When you run the COPY, UNLOAD, or CREATE EXTERNAL SCHEMA commands, you provide security credentials. These credentials authorize your Amazon Redshift cluster to read or write data to and from your target destination, such as an Amazon S3 bucket.
When you run the CREATE EXTERNAL FUNCTION, you provide security credentials using the IAM role parameter. These credentials authorize your Amazon Redshift cluster to invoke Lambda functions from AWS Lambda. The preferred method to supply security credentials is to specify an AWS Identity and Access Management (IAM) role. For COPY and UNLOAD, you can provide temporary credentials. For information about creating an IAM role, see [Authorizing Amazon Redshift to access AWS services on your behalf](authorizing-redshift-service.md).
Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS.
To grant users programmatic access, choose one of the following options.
****
| Which user needs programmatic access? | To | By |
| --- | --- | --- |
| IAM | (Recommended) Use console credentials as temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/copy-unload-iam-role.html) |
| Workforce identity (Users managed in IAM Identity Center) | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/copy-unload-iam-role.html) |
| IAM | Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions in [Using temporary credentials with AWS resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html) in the IAM User Guide. |
| IAM | (Not recommended)Use long-term credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs. | Following the instructions for the interface that you want to use. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/redshift/latest/mgmt/copy-unload-iam-role.html) |
The steps for using an IAM role are as follows:
+ Create an IAM role for use with your Amazon Redshift cluster.
+ Associate the IAM role with the cluster.
+ Include the IAM role's ARN when you call the COPY, UNLOAD, CREATE EXTERNAL SCHEMA, or CREATE EXTERNAL FUNCTION command.
# Associating IAM roles with clusters
After you have created an IAM role that authorizes Amazon Redshift to access other AWS services for you, you must associate that role with an Amazon Redshift cluster. You must do this before you can use the role to load or unload data.
## Permissions required to associate an IAM role with a cluster
To associate an IAM role with a cluster, a user must have `iam:PassRole` permission for that IAM role. This permission allows an administrator to restrict which IAM roles a user can associate with Amazon Redshift clusters. As a best practice, we recommend attaching permissions policies to an IAM role and then assigning it to users and groups as needed. For more information, see [Identity and access management in Amazon Redshift](https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-authentication-access-control.html).
The following example shows an IAM policy that can be attached to a user that allows the user to take these actions:
+ Get the details for all Amazon Redshift clusters owned by that user's account.
+ Associate any of three IAM roles with either of two Amazon Redshift clusters.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "redshift:DescribeClusters",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"redshift:ModifyClusterIamRoles",
"redshift:CreateCluster"
],
"Resource": [
"arn:aws:redshift:us-east-1:123456789012:cluster:my-redshift-cluster",
"arn:aws:redshift:us-east-1:123456789012:cluster:my-second-redshift-cluster"
]
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": [
"arn:aws:iam::123456789012:role/MyRedshiftRole",
"arn:aws:iam::123456789012:role/SecondRedshiftRole",
"arn:aws:iam::123456789012:role/ThirdRedshiftRole"
]
}
]
}
```
------
After a user has the appropriate permissions, that user can associate an IAM role with an Amazon Redshift cluster. The IAM role is then ready to use with the COPY or UNLOAD command or other Amazon Redshift commands.
For more information on IAM policies, see [Overview of IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the *IAM User Guide*.
## Managing IAM role association with a cluster
You can associate an IAM role with an Amazon Redshift cluster when you create the cluster. Or you can modify an existing cluster and add or remove one or more IAM role associations.
Be aware of the following:
+ The maximum number of IAM roles that you can associate is subject to a quota.
+ An IAM role can be associated with multiple Amazon Redshift clusters.
+ An IAM role can be associated with an Amazon Redshift cluster only if both the IAM role and the cluster are owned by the same AWS account.
You can manage IAM role associations for a cluster with the console by using the following procedure.
**To manage IAM role associations**
1. Sign in to the AWS Management Console and open the Amazon Redshift console at [https://console.aws.amazon.com/redshiftv2/](https://console.aws.amazon.com/redshiftv2/).
1. On the navigation menu, choose **Clusters**, then choose the cluster that you want to update.
1. For **Actions**, choose **Manage IAM roles** to display the current list IAM roles associated with the cluster.
1. On the **Manage IAM roles** page, choose the available IAM roles to add, and then choose **Add IAM role**.
1. Choose **Done** to save your changes.
You can manage IAM role associations for a cluster with the AWS CLI by using the following approaches.
To associate an IAM role with a cluster when the cluster is created, specify the Amazon Resource Name (ARN) of the IAM role for the `--iam-role-arns` parameter of the `create-cluster` command. The maximum number of IAM roles that you can add when calling the `create-cluster` command is subject to a quota.
Associating and disassociating IAM roles with Amazon Redshift clusters is an asynchronous process. You can get the status of all IAM role cluster associations by calling the `describe-clusters` command.
The following example associates two IAM roles with the newly created cluster named `my-redshift-cluster`.
```
aws redshift create-cluster \
--cluster-identifier "my-redshift-cluster" \
--node-type "ra3.4xlarge" \
--number-of-nodes 16 \
--iam-role-arns "arn:aws:iam::123456789012:role/RedshiftCopyUnload" \
"arn:aws:iam::123456789012:role/SecondRedshiftRole"
```
To associate an IAM role with an existing Amazon Redshift cluster, specify the Amazon Resource Name (ARN) of the IAM role for the `--add-iam-roles` parameter of the `modify-cluster-iam-roles` command. The maximum number of IAM roles that you can add when calling the `modify-cluster-iam-roles` command is subject to a quota.
The following example associates an IAM role with an existing cluster named `my-redshift-cluster`.
```
aws redshift modify-cluster-iam-roles \
--cluster-identifier "my-redshift-cluster" \
--add-iam-roles "arn:aws:iam::123456789012:role/RedshiftCopyUnload"
```
To disassociate an IAM role from a cluster, specify the ARN of the IAM role for the `--remove-iam-roles` parameter of the `modify-cluster-iam-roles` command. `modify-cluster-iam-roles` The maximum number of IAM roles that you can remove when calling the `modify-cluster-iam-roles` command is subject to a quota.
The following example removes the association for an IAM role for the `123456789012` AWS account from a cluster named `my-redshift-cluster`.
```
aws redshift modify-cluster-iam-roles \
--cluster-identifier "my-redshift-cluster" \
--remove-iam-roles "arn:aws:iam::123456789012:role/RedshiftCopyUnload"
```
### Listing IAM role associations for a cluster using the AWS CLI
To list all of the IAM roles that are associated with an Amazon Redshift cluster, and the status of the IAM role association, call the `describe-clusters` command. The ARN for each IAM role associated with the cluster is returned in the `IamRoles` list as shown in the following example output.
Roles that have been associated with the cluster show a status of `in-sync`. Roles that are in the process of being associated with the cluster show a status of `adding`. Roles that are being disassociated from the cluster show a status of `removing`.
```
{
"Clusters": [
{
"ClusterIdentifier": "my-redshift-cluster",
"NodeType": "ra3.4xlarge",
"NumberOfNodes": 16,
"IamRoles": [
{
"IamRoleArn": "arn:aws:iam::123456789012:role/MyRedshiftRole",
"IamRoleApplyStatus": "in-sync"
},
{
"IamRoleArn": "arn:aws:iam::123456789012:role/SecondRedshiftRole",
"IamRoleApplyStatus": "in-sync"
}
],
...
},
{
"ClusterIdentifier": "my-second-redshift-cluster",
"NodeType": "ra3.4xlarge",
"NumberOfNodes": 10,
"IamRoles": [
{
"IamRoleArn": "arn:aws:iam::123456789012:role/MyRedshiftRole",
"IamRoleApplyStatus": "in-sync"
},
{
"IamRoleArn": "arn:aws:iam::123456789012:role/SecondRedshiftRole",
"IamRoleApplyStatus": "in-sync"
},
{
"IamRoleArn": "arn:aws:iam::123456789012:role/ThirdRedshiftRole",
"IamRoleApplyStatus": "in-sync"
}
],
...
}
]
}
```
For more information on using the AWS CLI, see *[AWS CLI User Guide](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html)*.
# Creating an IAM role as default for Amazon Redshift
When you create IAM roles through the Redshift console, Amazon Redshift programmatically creates the roles in your AWS account and automatically attaches existing AWS managed policies to them. This approach means that you can stay within the Redshift console and don't have to switch to the IAM console for role creation. For more granular control of permissions for an existing IAM role that was created in the Amazon Redshift console, you can attach a customized managed policy to the IAM role.
## IAM roles created in the console
When you use the Amazon Redshift console to create IAM roles, Amazon Redshift tracks all IAM roles created through the console. Amazon Redshift preselects the most recent default IAM role for creating all new clusters and restoring clusters from snapshots.
You can create an IAM role through the console that has a policy with permissions to run SQL commands. These commands include COPY, UNLOAD, CREATE EXTERNAL FUNCTION, CREATE EXTERNAL TABLE, CREATE EXTERNAL SCHEMA, CREATE MODEL, or CREATE LIBRARY. Optionally, you can get more granular control of user access to your AWS resources by creating and attaching custom policies to the IAM role.
When you created an IAM role and set it as the default for the cluster using console, you don't have to provide the IAM role's Amazon Resource Name (ARN) to perform authentication and authorization.
The IAM role that you create through the console for your cluster has the `AmazonRedshiftAllCommandsFullAccess` managed policy automatically attached. This IAM role allows Amazon Redshift to copy, unload, query, and analyze data for AWS resources in your IAM account. The managed policy provides access to [COPY](https://docs.aws.amazon.com/redshift/latest/dg/copy-parameters-authorization.html), [UNLOAD](https://docs.aws.amazon.com/redshift/latest/dg/r_UNLOAD.html), [CREATE EXTERNAL FUNCTION](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_FUNCTION.html), [CREATE EXTERNAL SCHEMA](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_EXTERNAL_SCHEMA.html), [CREATE MODEL](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_MODEL.html), and [CREATE LIBRARY](https://docs.aws.amazon.com/redshift/latest/dg/r_CREATE_LIBRARY.html) operations. The policy also grants permissions to run SELECT statements for related AWS services, such as Amazon S3, Amazon CloudWatch Logs, Amazon SageMaker AI, and AWS Glue.
The CREATE EXTERNAL FUNCTION, CREATE EXTERNAL SCHEMA, CREATE MODEL, and CREATE LIBRARY commands have a `default` keyword. For this keyword for these commands, Amazon Redshift uses the IAM role that is set as the default and associated with the cluster when the command runs. You can run the [DEFAULT\$1IAM\$1ROLE](https://docs.aws.amazon.com/redshift/latest/dg/r_DEFAULT_IAM_ROLE.html) command to check the current default IAM role that is attached to the cluster.
To control access privileges of the IAM role created and set as default for your Redshift cluster, use the ASSUMEROLE privilege. This access control applies to database users and groups when they run commands such as the ones listed preceding. After you grant the ASSUMEROLE privilege to a user or group for the IAM role, the user or group can assume that role when running these commands. By using the ASSUMEROLE privilege, you can grant access to the appropriate commands as required.
Using the Amazon Redshift console, you can do the following:
+ [Creating an IAM role as the default](#create-iam)
+ [Removing IAM roles from your cluster](#remove-iam)
+ [Associating IAM roles with your cluster](#associate-iam)
+ [Setting an IAM role as the default](#set-default-iam)
+ [Making an IAM role no longer default for your cluster](#clear-default-iam)
## Permissions of the AmazonRedshiftAllCommandsFullAccess managed policy
The following example shows the permissions in the `AmazonRedshiftAllCommandsFullAccess` managed policy that allow certain actions for the IAM role that is set as default for your cluster. The IAM role with permission policies attached authorizes what a user or group can and can't do. Given these permissions, you can run the COPY command from Amazon S3, run UNLOAD, and use the CREATE MODEL command.
```
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetBucketAcl",
"s3:GetBucketCors",
"s3:GetEncryptionConfiguration",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListAllMyBuckets",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads",
"s3:PutObject",
"s3:PutBucketAcl",
"s3:PutBucketCors",
"s3:DeleteObject",
"s3:AbortMultipartUpload",
"s3:CreateBucket"
],
"Resource": [
"arn:aws:s3:::redshift-downloads",
"arn:aws:s3:::redshift-downloads/*",
"arn:aws:s3:::*redshift*",
"arn:aws:s3:::*redshift*/*"
]
}
```
The following example shows the permissions in the `AmazonRedshiftAllCommandsFullAccess` managed policy that allow certain actions for the IAM role that is set as default for the cluster. The IAM role with permission policies attached authorizes what a user or group can and can't do. Given the following permissions, you can run the CREATE EXTERNAL FUNCTION command.
```
{
"Action": [
"lambda:InvokeFunction"
],
"Resource": "arn:aws:lambda:*:*:function:*redshift*"
}
```
The following example shows the permissions in the `AmazonRedshiftAllCommandsFullAccess` managed policy that allow certain actions for the IAM role that is set as default for the cluster. The IAM role with permission policies attached authorizes what a user or group can and can't do. Given the following permissions, you can run the CREATE EXTERNAL SCHEMA and CREATE EXTERNAL TABLE commands needed for Amazon Redshift Spectrum.
```
{
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateTable",
"glue:DeleteTable",
"glue:BatchDeleteTable",
"glue:UpdateTable",
"glue:GetTable",
"glue:GetTables",
"glue:BatchCreatePartition",
"glue:CreatePartition",
"glue:DeletePartition",
"glue:BatchDeletePartition",
"glue:UpdatePartition",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition"
],
"Resource": [
"arn:aws:glue:*:*:table/*redshift*/*",
"arn:aws:glue:*:*:catalog",
"arn:aws:glue:*:*:database/*redshift*"
]
}
```
The following example shows the permissions in the `AmazonRedshiftAllCommandsFullAccess` managed policy that allow certain actions for the IAM role set as default for the cluster. The IAM role with permission policies attached authorizes what a user or group can and can't do. Given the following permissions, you can run the CREATE EXTERNAL SCHEMA command using federated queries.
```
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:*Redshift*"
]
},
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetRandomPassword",
"secretsmanager:ListSecrets"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"secretsmanager:ResourceTag/Redshift": "true"
}
}
},
```
## Managing IAM roles created for a cluster using the console
To create, modify, and remove IAM roles created from the Amazon Redshift console, use the **Clusters** section in the console.
### Creating an IAM role as the default
On the console, you can create an IAM role for your cluster that has the `AmazonRedshiftAllCommandsFullAccess` policy automatically attached. The new IAM role that you create allows Amazon Redshift to copy, load, query, and analyze data from Amazon resources in your IAM account.
There can only be one IAM role set as the default for the cluster. If you create another IAM role as the cluster default when an existing IAM role is currently assigned as the default, the new IAM role replaces the other one as default.
**To create a new cluster and an IAM role set as the default for the new cluster**
1. Sign in to the AWS Management Console and open the Amazon Redshift console at [https://console.aws.amazon.com/redshiftv2/](https://console.aws.amazon.com/redshiftv2/).
1. On the navigation menu, choose **Clusters**. The clusters for your account in the current AWS Region are listed. A subset of properties of each cluster is displayed in columns in the list.
1. Choose **Create cluster** to create a cluster.
1. Follow the instructions on the console page to enter the properties for **Cluster configuration**. For more information about this step, see [Creating a cluster](create-cluster.md).
1. (Optional) Choose **Load sample data** to load the sample data set to your Amazon Redshift cluster to start using the query editor to query data.
If you are behind a firewall, the database port must be an open port that accepts inbound connections.
1. Follow the instructions on the console page to enter properties for **Database configurations**.
1. Under **Cluster permissions**, from **Manage IAM roles**, choose **Create IAM role**.
1. Specify an Amazon S3 bucket for the IAM role to access by choosing one of the following methods:
+ Choose **No additional Amazon S3 bucket** to create the IAM role without specifying specific Amazon S3 buckets.
+ Choose **Any Amazon S3 bucket** to allow users that have access to your Amazon Redshift cluster to also access any Amazon S3 bucket and its contents in your AWS account.
+ Choose **Specific Amazon S3 buckets** to specify one or more Amazon S3 buckets that the IAM role being created has permission to access. Then choose one or more Amazon S3 buckets from the table.
1. Choose **Create IAM role as default**. Amazon Redshift automatically creates and sets the IAM role as the default for your cluster.
1. Choose **Create cluster** to create the cluster. The cluster might take several minutes to be ready to use.
### Removing IAM roles from your cluster
You can remove one or more IAM roles from your cluster.
**To remove IAM roles from your cluster**
1. Sign in to the AWS Management Console and open the Amazon Redshift console at [https://console.aws.amazon.com/redshiftv2/](https://console.aws.amazon.com/redshiftv2/).
1. On the navigation menu, choose **Clusters**. The clusters for your account in the current AWS Region are listed. A subset of properties of each cluster is displayed in columns in the list.
1. Choose the cluster that you want to remove the IAM role from.
1. Under **Cluster permissions**, choose one or more IAM roles that you want to remove from the cluster.
1. From **Manage IAM roles**, choose **Remove IAM roles**.
### Associating IAM roles with your cluster
You can associate one or more IAM roles with your cluster.
**To associate IAM roles with your cluster**
1. Sign in to the AWS Management Console and open the Amazon Redshift console at [https://console.aws.amazon.com/redshiftv2/](https://console.aws.amazon.com/redshiftv2/).
1. On the navigation menu, choose **Clusters**. The clusters for your account in the current AWS Region are listed. A subset of properties of each cluster is displayed in columns in the list.
1. Choose the cluster that you want to associate IAM roles with.
1. Under **Cluster permissions**, choose one or more IAM roles that you want to associate with the cluster.
1. From **Manage IAM roles**, choose **Associate IAM roles**.
1. Choose one ore more IAM roles to associate with your cluster.
1. Choose **Associate IAM roles**.
### Setting an IAM role as the default
You can set an IAM role as the default for your cluster.
**To make an IAM role the default for your cluster**
1. Sign in to the AWS Management Console and open the Amazon Redshift console at [https://console.aws.amazon.com/redshiftv2/](https://console.aws.amazon.com/redshiftv2/).
1. On the navigation menu, choose **Clusters**. The clusters for your account in the current AWS Region are listed. A subset of properties of each cluster is displayed in columns in the list.
1. Choose the cluster that you want to set a default IAM role for.
1. Under **Cluster permissions**, from **Associated IAM roles**, choose an IAM role that you want make as default for the cluster.
1. Under **Set default**, choose **Make default**.
1. When prompted, choose **Set default** to confirm making the specified IAM role as the default.
### Making an IAM role no longer default for your cluster
You can make an IAM role no longer the default for your cluster.
**To clear an IAM role as the default for your cluster**
1. Sign in to the AWS Management Console and open the Amazon Redshift console at [https://console.aws.amazon.com/redshiftv2/](https://console.aws.amazon.com/redshiftv2/).
1. On the navigation menu, choose **Clusters**. The clusters for your account in the current AWS Region are listed. A subset of properties of each cluster is displayed in columns in the list.
1. Choose the cluster that you want to associate IAM roles with.
1. Under **Cluster permissions**, from **Associated IAM roles**, choose the default IAM role.
1. Under **Set default**, choose **Clear default**.
1. When prompted, choose **Clear default** to confirm clearing the specified IAM role as the default.
## Managing IAM roles created on the cluster using the AWS CLI
You can manage IAM roles created on the cluster using the AWS CLI.
### To create an Amazon Redshift cluster with an IAM role set as default
To create an Amazon Redshift cluster with an IAM role set it as the default for the cluster, use the `aws redshift create-cluster` AWS CLI command.
The following AWS CLI command creates an Amazon Redshift cluster and the IAM role named myrole1. The AWS CLI command also sets myrole1 as the default for the cluster.
```
aws redshift create-cluster \
--node-type dc2.large \
--number-of-nodes 2 \
--master-username adminuser \
--master-user-password TopSecret1 \
--cluster-identifier mycluster \
--iam-roles 'arn:aws:iam::012345678910:role/myrole1' 'arn:aws:iam::012345678910:role/myrole2' \
--default-iam-role-arn 'arn:aws:iam::012345678910:role/myrole1'
```
The following snippet is an example of the response.
```
{
"Cluster": {
"ClusterIdentifier": "mycluster",
"NodeType": "dc2.large",
"MasterUsername": "adminuser",
"DefaultIamRoleArn": "arn:aws:iam::012345678910:role/myrole1",
"IamRoles": [
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole1",
"ApplyStatus": "adding"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole2",
"ApplyStatus": "adding"
}
]
...
}
}
```
### To add one or more IAM roles to an Amazon Redshift cluster
To add one or more IAM roles associated to the cluster, use the `aws redshift modify-cluster-iam-roles` AWS CLI command.
The following AWS CLI command adds `myrole3` and `myrole4` to the cluster.
```
aws redshift modify-cluster-iam-roles \
--cluster-identifier mycluster \
--add-iam-roles 'arn:aws:iam::012345678910:role/myrole3' 'arn:aws:iam::012345678910:role/myrole4'
```
The following snippet is an example of the response.
```
{
"Cluster": {
"ClusterIdentifier": "mycluster",
"NodeType": "dc2.large",
"MasterUsername": "adminuser",
"DefaultIamRoleArn": "arn:aws:iam::012345678910:role/myrole1",
"IamRoles": [
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole1",
"ApplyStatus": "in-sync"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole2",
"ApplyStatus": "in-sync"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole3",
"ApplyStatus": "adding"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole4",
"ApplyStatus": "adding"
}
],
...
}
}
```
### To remove one or more IAM roles from an Amazon Redshift cluster
To remove one or more IAM roles associated to the cluster, use the `aws redshift modify-cluster-iam-roles` AWS CLI command.
The following AWS CLI command removes `myrole3` and `myrole4` from the cluster.
```
aws redshift modify-cluster-iam-roles \
--cluster-identifier mycluster \
--remove-iam-roles 'arn:aws:iam::012345678910:role/myrole3' 'arn:aws:iam::012345678910:role/myrole4'
```
The following snippet is an example of the response.
```
{
"Cluster": {
"ClusterIdentifier": "mycluster",
"NodeType": "dc2.large",
"MasterUsername": "adminuser",
"DefaultIamRoleArn": "arn:aws:iam::012345678910:role/myrole1",
"IamRoles": [
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole1",
"ApplyStatus": "in-sync"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole2",
"ApplyStatus": "in-sync"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole3",
"ApplyStatus": "removing"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole4",
"ApplyStatus": "removing"
}
],
...
}
}
```
### To set an associated IAM role as the default for the cluster
To set an associated IAM role as the default for the cluster, use the `aws redshift modify-cluster-iam-roles` AWS CLI command.
The following AWS CLI command sets `myrole2` as the default for the cluster.
```
aws redshift modify-cluster-iam-roles \
--cluster-identifier mycluster \
--default-iam-role-arn 'arn:aws:iam::012345678910:role/myrole2'
```
The following snippet is an example of the response.
```
{
"Cluster": {
"ClusterIdentifier": "mycluster",
"NodeType": "dc2.large",
"MasterUsername": "adminuser",
"DefaultIamRoleArn": "arn:aws:iam::012345678910:role/myrole2",
"IamRoles": [
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole1",
"ApplyStatus": "in-sync"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole2",
"ApplyStatus": "in-sync"
}
],
...
}
}
```
### To set an unassociated IAM role as the default for the cluster
To set an unassociated IAM role as the default for the cluster, use the `aws redshift modify-cluster-iam-roles` AWS CLI command.
The following AWS CLI command adds `myrole2` to the Amazon Redshift cluster and sets it as the default for the cluster.
```
aws redshift modify-cluster-iam-roles \
--cluster-identifier mycluster \
--add-iam-roles 'arn:aws:iam::012345678910:role/myrole3' \
--default-iam-role-arn 'arn:aws:iam::012345678910:role/myrole3'
```
The following snippet is an example of the response.
```
{
"Cluster": {
"ClusterIdentifier": "mycluster",
"NodeType": "dc2.large",
"MasterUsername": "adminuser",
"DefaultIamRoleArn": "arn:aws:iam::012345678910:role/myrole3",
"IamRoles": [
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole1",
"ApplyStatus": "in-sync"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole2",
"ApplyStatus": "in-sync"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole3",
"ApplyStatus": "adding"
}
],
...
}
}
```
### To restore a cluster from a snapshot and set an IAM role as the default for it
When you restore your cluster from a snapshot, you can either associate an existing IAM role or create a new one and set it as the default for the cluster.
To restore an Amazon Redshift cluster from a snapshot and set an IAM role as the cluster default, use the `aws redshift restore-from-cluster-snapshot` AWS CLI command.
The following AWS CLI command restores the cluster from a snapshot and sets `myrole2` as the default for the cluster.
```
aws redshift restore-from-cluster-snapshot \
--cluster-identifier mycluster-clone \
--snapshot-identifier my-snapshot-id
--iam-roles 'arn:aws:iam::012345678910:role/myrole1' 'arn:aws:iam::012345678910:role/myrole2' \
--default-iam-role-arn 'arn:aws:iam::012345678910:role/myrole1'
```
The following snippet is an example of the response.
```
{
"Cluster": {
"ClusterIdentifier": "mycluster-clone",
"NodeType": "dc2.large",
"MasterUsername": "adminuser",
"DefaultIamRoleArn": "arn:aws:iam::012345678910:role/myrole1",
"IamRoles": [
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole1",
"ApplyStatus": "adding"
},
{
"IamRoleArn": "arn:aws:iam::012345678910:role/myrole2",
"ApplyStatus": "adding"
}
],
...
}
}
```
# Using a federated identity to manage Amazon Redshift access to local resources and Amazon Redshift Spectrum external tables
Using identity federation in AWS with credentials provided from `GetDatabaseCredentials` can simplify authorization and access to local data and to external data. In this tutorial, we show you how to provide access to resources with AWS identity federation, instead of using a specific IAM role.
Currently, to give users access to external data that resides in Amazon S3, you create an IAM role with permissions defined in a permissions policy. Then, users with the role attached can access the external data. This works, but if you want to provide granular rules, such as making specific columns unavailable for a particular user, you may have to do additional configuration on the external schema.
Identity federation, with credentials provided from `GetDatabaseCredentials`, can provide access to AWS Glue and Redshift Spectrum resources with granular IAM rules that are easier to specify and change. This makes it easier to apply access that conforms to your business rules.
The benefits of using federated credentials are the following:
+ You don't have to manage cluster-attached IAM roles for Redshift Spectrum.
+ Cluster administrators can create an external schema that's accessible by consumers with different IAM contexts. This is useful, for example, to perform column filtering on a table, where different consumers query the same external schema and get varying fields in returned records.
+ You can query Amazon Redshift using a user with IAM permissions, rather than only with a role.
## Preparing an identity to log in with federated identity
Before logging in with federated identity, you must perform several preliminary steps. These instructions assume you have an existing Redshift Spectrum external schema that references a data file stored in an Amazon S3 bucket, and the bucket is in the same account as your Amazon Redshift cluster or Amazon Redshift Serverless data warehouse.
1. Create an IAM identity. This can be a user or an IAM role. Use any name supported by IAM.
1. Attach permissions policies to the identity. Specify either of the following:
+ `redshift:GetClusterCredentialsWithIAM` (for an Amazon Redshift provisioned cluster)
+ `redshift-serverless:GetCredentials` (for Amazon Redshift Serverless)
You can add permissions with the policy editor, using the IAM console.
The IAM identity also needs permissions to access external data. Grant access to Amazon S3 by adding the following AWS managed policies directly:
+ `AmazonS3ReadOnlyAccess`
+ `AWSGlueConsoleFullAccess`
The last managed policy is required if you're using AWS Glue to prepare your external data. For more information about the steps for granting access to Amazon Redshift Spectrum, see [Create an IAM role for Amazon Redshift](https://docs.aws.amazon.com/redshift/latest/dg/c-getting-started-using-spectrum-create-role.html), which is part of the getting-started guide for Amazon Redshift and Redshift Spectrum. It shows the steps for adding IAM policies to access Redshift Spectrum.
1. Set up your SQL client to connect to Amazon Redshift. Use the Amazon Redshift JDBC driver, and add your user's credentials to the tool's credential properties. A client like SQL Workbench/J works well for this. Set the following client-connection extended properties:
+ *AccessKeyID* – Your access key identifier.
+ *SecretAccessKey* – Your secret access key. (Note the security risk of transmitting the secret key if you don't use encryption.)
+ *SessionToken* – A set of temporary credentials for an IAM role.
+ *groupFederation* – Set to `true` if you're configuring federated identity for a provisioned cluster. Don't set this parameter if you are using Amazon Redshift Serverless.
+ *LogLevel* – Integer log-level value. This is optional.
1. Set the URL to the JDBC endpoint found in the Amazon Redshift or Amazon Redshift Serverless console. Replace your URL schema with *jdbc:redshift:iam:* and use this formatting:
+ Format for an Amazon Redshift provisioned cluster: `jdbc:redshift:iam://...redshift.amazonaws.com:/`
Example: `jdbc:redshift:iam://test1.12345abcdefg.us-east-1.redshift.amazonaws.com:5439/dev`
+ Format for Amazon Redshift Serverless: `jdbc:redshift:iam://...redshift-serverless.amazonaws.com:5439:/`
Example: `jdbc:redshift:iam://default.123456789012.us-east-1.redshift-serverless.amazonaws.com:5439/dev`
After you connect to the database for the first time, using an IAM identity, Amazon Redshift automatically creates an Amazon Redshift identity with the same name, prefixed with `IAM:` for a user or `IAMR:` for an IAM role. The remaining steps in this topic show examples for a user.
If a Redshift user isn't automatically created, you can create one by running a `CREATE USER` statement, using an admin account, specifying the user name in the format `IAM:`.
1. As your Amazon Redshift cluster administrator, grant the Redshift user the required permissions to access the external schema.
```
GRANT ALL ON SCHEMA my_schema to "IAM:my_user";
```
To grant the ability to your Redshift user to create tables in the external schema, they must be a schema owner. For example:
```
ALTER SCHEMA my_schema owner to "IAM:my_user";
```
1. To verify the configuration, run a query as the user, using the SQL client, after permissions are granted. This query sample retrieves data from an external table.
```
SELECT * FROM my_schema.my_table;
```
## Getting started with identity and authorization propagation to Redshift Spectrum
To pass a federated identity to query external tables, you set `SESSION` as the value for the `IAM_ROLE` query parameter of `CREATE EXTERNAL SCHEMA`. The following steps show how to set up and leverage `SESSION` to authorize queries on the external schema.
1. Create local tables and external tables. External tables catalogued with AWS Glue work for this.
1. Connect to Amazon Redshift with your IAM identity. As mentioned in the previous section, when the identity connects to Amazon Redshift, a Redshift database user is created. The user is created if they didn't previously exist. If the user is new, the administrator must grant them permissions to perform tasks in Amazon Redshift, like querying and creating tables.
1. Connect to Redshift with your admin account. Run the command to create an external schema, using the `SESSION` value.
```
create external schema spectrum_schema from data catalog
database ''
region ''
iam_role 'SESSION'
catalog_id '';
```
Note that `catalog_id` is set in this case. This is a new setting added with the feature, because `SESSION` replaces a specific role.
In this example, values in the query mimic how real values appear.
```
create external schema spectrum_schema from data catalog
database 'spectrum_db'
region 'us-east-1'
iam_role 'SESSION'
catalog_id '123456789012'
```
The `catalog_id` value in this case is your AWS account ID.
1. Run queries to access your external data, using the IAM identity you connected with in step 2. For example:
```
select * from spectrum_schema.table1;
```
In this case, `table1` can be, for example, JSON-formatted data in a file, in an Amazon S3 bucket.
1. If you already have an external schema that uses a cluster-attached IAM role, pointing to your external database or schema, you can either replace the existing schema and use a federated identity as detailed in these steps, or create a new one.
`SESSION` indicates that federated identity credentials are used to query the external schema. When you use the `SESSION` query parameter, make sure you set the `catalog_id`. It's required because it points to the data catalog used for the schema. Previously, `catalog_id` was retrieved from the value assigned to `iam_role`. When you set up identity and authorization propagation this way, for instance, to Redshift Spectrum, by using federated credentials to query an external schema, authorization by means of an IAM role isn’t required.
### Usage notes
A common connection error is the following: *IAM error retrieving temp credentials: Unable to unmarshall exception response with the unmarshallers provided*. This error is a result of having a legacy JDBC driver. The minimum driver version required for federated identity is 2.1.0.9. You can get the JDBC driver from [Download the Amazon Redshift JDBC driver, version 2.x](https://docs.aws.amazon.com/redshift/latest/mgmt/jdbc20-download-driver.html).
### Additional resources
These links provide additional information for managing access to external data.
+ You can still access Redshift Spectrum data using an IAM role. For more information, see [Authorizing Amazon Redshift to access AWS services on your behalf](authorizing-redshift-service.md).
+ When you manage access to external tables with AWS Lake Formation, you can query them using Redshift Spectrum with federated IAM identities. You no longer have to manage cluster-attached IAM roles for Redshift Spectrum to query data registered with AWS Lake Formation. For more information, see [Using AWS Lake Formation with Amazon Redshift Spectrum](https://docs.aws.amazon.com/lake-formation/latest/dg/RSPC-lf.html).