# Trusted identity propagation with Amazon Redshift The steps to enable trusted identity propagation depend on whether your users interact with AWS managed applications or customer managed applications. The following diagram shows a trusted identity propagation configuration for client-facing applications - either AWS managed or external to AWS - that query Amazon Redshift data with access control provided either by Amazon Redshift or by authorization services, such as AWS Lake Formation or Amazon S3 Access Grants. ![\[Diagram of trusted identity propagation using Amazon Redshift, Quick, Lake Formation, and IAM Identity Center\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/rs-tip-diagram.png) When trusted identity propagation to Amazon Redshift is enabled, Redshift administrators can configure Redshift to [automatically create roles](https://docs.aws.amazon.com//redshift/latest/mgmt/redshift-iam-access-control-sso-autocreate.html) for IAM Identity Center as the identity provider, map Redshift roles to groups in IAM Identity Center, and use [Redshift role-based access control to grant access](https://docs.aws.amazon.com//redshift/latest/dg/r_tutorial-RBAC.html). ## Supported client-facing applications **AWS managed applications** The following AWS managed client-facing applications support trusted identity propagation to Amazon Redshift: + [Amazon Redshift Query Editor V2](setting-up-tip-redshift.md) + [Quick](https://docs.aws.amazon.com//quicksight/latest/user/redshift-trusted-identity-propagation.html) **Note** If you are using Amazon Redshift Spectrum to access external databases or tables in AWS Glue Data Catalog, consider setting up [Lake Formation](tip-tutorial-lf.md) and [Amazon S3 Access Grants](tip-tutorial-s3.md) to provide fine-grain access control. **Customer managed applications** The following customer managed applications support trusted identity propagation to Amazon Redshift: + **Tableau** including Tableau Desktop, Tableau Server, and Tableau Prep + To enable trusted identity propagation for users of Tableau, refer to [Integrate Tableau and Okta with Amazon Redshift using IAM Identity Center](https://aws.amazon.com/blogs//big-data/integrate-tableau-and-okta-with-amazon-redshift-using-aws-iam-identity-center/) in the *AWS Big Data Blog*. + **SQL Clients** (DBeaver and DBVisualizer) + To enable trusted identity propagation for users of SQL Clients (DBeaver and DBVisualizer), refer to [Integrate Identity Provider (IdP) with Amazon Redshift Query Editor V2 and SQL Client using IAM Identity Center for seamless Single Sign-On](https://aws.amazon.com/blogs//big-data/integrate-identity-provider-idp-with-amazon-redshift-query-editor-v2-and-sql-client-using-aws-iam-identity-center-for-seamless-single-sign-on/) in the *AWS Big Data Blog*. # Setting up trusted identity propagation with Amazon Redshift Query Editor V2 Amazon Redshift Query Editor V2 The following procedure walks you through how to achieve trusted identity propagation from Amazon Redshift Query Editor V2 to Amazon Redshift. ## Prerequisites Before you can get started with this tutorial, you'll need to set up the following: 1. [Enable IAM Identity Center](enable-identity-center.md). [Organization instance](organization-instances-identity-center.md) is recommended. For more information, see [Prerequisites and considerations](trustedidentitypropagation-overall-prerequisites.md). 1. [Provision the users and groups from your source of identities into IAM Identity Center](tutorials.md). Enabling trusted identity propagation includes tasks performed by an IAM Identity Center administrator in the IAM Identity Center console and tasks performed by an Amazon Redshift administrator in the Amazon Redshift console. ## Tasks performed by the IAM Identity Center administrator The following tasks needed to be complete by the IAM Identity Center administrator: 1. **Create an [IAM role](https://docs.aws.amazon.com//IAM/latest/UserGuide/id_roles.html)** in the account where the Amazon Redshift cluster or Serverless instance exists with the following permission policy. For more information, see [IAM Role creation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html). 1. The following policy examples includes the necessary permissions to complete this tutorial. To use this policy, replace the *italicized placeholder text* in the example policy with your own information. For additional directions, see [Create a policy](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_create.html) or [Edit a policy](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_manage-edit.html). **Permission policy:** ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "AllowRedshiftApplication", "Effect": "Allow", "Action": [ "redshift:DescribeQev2IdcApplications", "redshift-serverless:ListNamespaces", "redshift-serverless:ListWorkgroups", "redshift-serverless:GetWorkgroup" ], "Resource": "*" }, { "Sid": "AllowIDCPermissions", "Effect": "Allow", "Action": [ "sso:DescribeApplication", "sso:DescribeInstance" ], "Resource": [ "arn:aws:sso:::instance/Your-IAM-Identity-Center-Instance ID", "arn:aws:sso::111122223333:application/Your-IAM-Identity-Center-Instance-ID/*" ] } ] } ``` ------ **Trust policy:** ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": [ "redshift-serverless.amazonaws.com", "redshift.amazonaws.com" ] }, "Action": [ "sts:AssumeRole", "sts:SetContext" ] } ] } ``` ------ 1. **Create a permission set** in the AWS Organizations management account where IAM Identity Center is enabled. You’ll use it in the next step to allow federated users to access Redshift Query Editor V2. 1. Go to the **IAM Identity Center** console, under **Multi-Account permissions**, choose **Permission sets**. 1. Choose **Create permission set**. 1. Choose **Custom permission set** and then choose **Next**. 1. Under **AWS managed policies**, choose **`AmazonRedshiftQueryEditorV2ReadSharing`**. 1. Under **Inline policy**, add the following policy: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Action": [ "redshift:DescribeQev2IdcApplications", "redshift-serverless:ListNamespaces", "redshift-serverless:ListWorkgroups", "redshift-serverless:GetWorkgroup" ], "Resource": "*" } ] } ``` ------ 1. Select **Next** and then provide a name for the permission set name. For example, **Redshift-Query-Editor-V2**. 1. Under **Relay state – optional**, set default relay state to the Query Editor V2 URL, using the format: `https://your-region.console.aws.amazon.com/sqlworkbench/home`. 1. Review the settings and choose **Create**. 1. Navigate to the IAM Identity Center Dashboard and copy the AWS access portal URL from the **Setting Summary** section. ![\[Step i, Copy AWS access portal URL from IAM Identity Center console.\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/setting-up-redshift-step-i.png) 1. Open a new Incognito Browser Window and paste the URL. This will take you to your AWS access portal, ensuring you are signing in with an IAM Identity Center user. ![\[Step j, Sign in to AWS access portal.\]](http://docs.aws.amazon.com/singlesignon/latest/userguide/images/setting-up-redshift-step-j.png) For more information about permission set, see [Manage AWS accounts with permission sets](permissionsetsconcept.md). 1. **Enable federated users access to Redshift Query Editor V2**. 1. In the AWS Organizations management account, open the **IAM Identity Center** console. 1. In the navigation pane, under **Multi-account permissions**, choose **AWS accounts**. 1. On the AWS accounts page, select the AWS account that you want to assign access to. 1. Choose **Assign users or groups**. 1. On the **Assign users and groups** page, choose the users and or groups that you want to create the permission set for. Then, choose **Next**. 1. On the **Assign permission sets **page, choose the permission set you created in the previous step. Then, choose **Next**. 1. On the **Review and submit assignments** page, review your selections and choose **Submit**. ## Tasks performed by an Amazon Redshift administrator Enabling trusted identity propagation to Amazon Redshift requires an Amazon Redshift cluster administrator or Amazon Redshift Serverless administrator to perform a number of tasks in the Amazon Redshift console. For more information, see [Integrate Identity Provider (IdP) with Amazon Redshift Query Editor V2 and SQL Client using IAM Identity Center for seamless Single Sign-On](https://aws.amazon.com/blogs//big-data/integrate-identity-provider-idp-with-amazon-redshift-query-editor-v2-and-sql-client-using-aws-iam-identity-center-for-seamless-single-sign-on/) in the *AWS Big Data Blog*.