In this step-by-step guide, we’ll learn how to set up SSO authentication with Redshift and AWS IAM Identity Center in order to boost security and make user access easier.

Redshift Sso.drawio Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 1

Used Sources:

Terms Dictionary:

TermMeaning
Identity Center AccountThe account where the IAM Identity Center is configured.
Redshift AccountThe child account of the Identity Center account which contains the Redshift Cluster we want to connect to.
IDPIdentity Provider

What’s Redshift?

AWS Redshift is a fully-managed data warehousing service provided by Amazon Web Services (AWS).
It is designed to handle large-scale data analytics workloads and enables organizations to analyze vast amounts of data quickly and cost-effectively.

What’s IAM Identity Center?

IAM Identity Center provides one place where you can create or connect workforce users and centrally manage their access across all their AWS accounts and applications.
You can use multi-account permissions to assign your workforce users access to AWS accounts.

Why SSO?

SSO reduces the number of attack surfaces because users only log in once each day and only use one set of credentials.
Reducing login to one set of credentials improves enterprise security. When employees have to use separate passwords for each app, they usually don’t.

Prerequisites

  1. Preconfigured IAM Identity Center → Getting started – AWS IAM Identity Center.
  2. Preconfigured Redshift Cluster with an administrative access.
  3. Identity Source user & password (Okta, PingOne, etc.).
  4. JetBrains DataGrip installed (can be free tier).

Step by Step:

Configure Identity Center application

Our first step will be to create a new AWS Identity Center application in the Identity Center account to be used as the main channel between users and the Redshift cluster.

  1. In the IAM Identity Center side panel, click “Applications”.
    Screenshot 2566 07 02 At 15.25.46 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 2
     
  2. In the top right corner, click “Add application”.
    Screenshot 2566 07 02 At 15.27.18 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 3
  3. Check “add custom SAML 2.0 application” and click “Next”.
    Screenshot 2566 07 02 At 15.28.44 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 4
  4. Set an appropriate display name, we’ll call our application “Redshift-ReadOnly”, as this application will be used to gain Read-Only access to the cluster data.
    Screenshot 2566 07 02 At 15.32.25 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 5
  5. Download the Identity Center SAML metadata file, we’ll use it later to configure our Redshift account application.
    Screenshot 2566 07 02 At 15.33.39 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 6
     
  6. Copy the application sign-in URL as we’ll need it for later.
  7. Next, we’ll configure the SAML application ACS (aka Assertion Consumer Service).
    Briefly, ACS is the location where the SAML application response will be sent to.

    As we’ll be using the AWS Redshift JDBC driver to connect to our Redshift cluster, we’ll need to set the application ACS to http://localhost:7890/redshift/ – as the JDBC driver starts a server listening on port 7890 by default.
    Screenshot 2566 07 02 At 15.56.40 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 7Ab00F622 901E 48A6 Af15 55B11Fe407F4#Media Blob Url=True&Amp;Id=A1039895 Cc77 4376 8887 687B0A94Ffae&Amp;Collection=Contentid Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 8
  8. In order to restrict the SAML application assertion to redshift alone, we’ll configure the “Application SAML audience” field to urn:amazon:webservices:redshift.
    Screenshot 2566 07 02 At 15.58.17 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 9 

Create Identity Provider

After we created our Redshift-ReadOnly application in the Identity Center account, we need to configure an identity provider to be used by the Redshift-ReadOnly application to connect to the Redshift account Redshift cluster.

  1. In the IAM Dashboard side panel of your Redshift account, click Identity Providers.
    Screenshot 2566 07 02 At 16.19.31 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 10 
  2. In the top right corner, click “Add provider”.
    Screenshot 2566 07 02 At 16.21.05 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 11
  3. Fill in the details for the new IDP:
    1. Set the “Provider name” to Redshift-ReadOnly (same as our previously configured application).
    2. Upload the metadata file we download during the configuration process of our IAM Identity Center application.F2Db2Cb3 28D0 4578 Ac63 F813A350A2D9#Media Blob Url=True&Amp;Id=Af2A9Aac Ed5D 4C7C 8Aea E91254Cfdeaf&Amp;Collection=Contentid Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 12 Click “Add provider” and finish.
      Screenshot 2566 07 02 At 16.22.59 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 13
  4. Go to the IDP description page and copy the IDP ARN, we’ll use it later on.
    Screenshot 2566 07 02 At 17.04.43 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 140A06764A C351 43F3 810A 15Da912D7C05#Media Blob Url=True&Amp;Id=39497B0D 7A31 4Add 8C83 107Db8043F05&Amp;Collection=Contentid Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 15

Create IAM Role & Policy

Now that we’ve created the Identity Provider to be used by our IAM Identity Center application, we can create the role that will be used to connect to the Redshift cluster itself.

  1. In the IAM Dashboard side panel of your Redshift account, click Roles.
    Screenshot 2566 07 02 At 16.14.15 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 16 
  2. In the top right corner, click “Create Role”.
    Screenshot 2566 07 02 At 16.15.37 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 17
     
  3. Create a trusted entity of type SAML 2.0 federation and set the following:
    1. Set the IDP to the “Redshift-ReadOnly” IDP we created earlier.
    2. Check the “Allow programmatic access only” radio button and set:
      Attribute: “SAML:aud” → setting which audience can assume this role.
      Value: “http://localhost:7890/redshift/ → Setting the audience to our local Redshift JDBC driver server (as explained in the first section).
      Screenshot 2566 07 02 At 16.44.02 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 18
      Click “Next”.
  4. Click “Create policy” and a new tab will open.5F413Ee0 9082 48Fe Bbf9 1266E384F039#Media Blob Url=True&Amp;Id=F54050E8 48E9 4C67 8E16 34Cb159B53B5&Amp;Collection=Contentid Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 19 
  5. Select “JSON”.38E95090 Ae9B 4366 9C1E 4C24Cab89231#Media Blob Url=True&Amp;Id=75587102 9Ee1 4Ce6 Abd5 C83D2C872050&Amp;Collection=Contentid Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 20 
  6. In the Policy editor panel, paste the following policy statement and edit the following values in the “Resource” scope to match your own: <region>, <account>, <clusterName>.
    				
    					{
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "redshift:CreateClusterUser",
                    "redshift:JoinGroup",
                    "redshift:GetClusterCredentials",
                    "redshift:ListSchemas",
                    "redshift:ListTables",
                    "redshift:ListDatabases",
                    "redshift:ExecuteQuery",
                    "redshift:FetchResults",
                    "redshift:CancelQuery",
                    "redshift:DescribeClusters",
                    "redshift:DescribeQuery",
                    "redshift:DescribeTable"
                ],
                "Resource": [
                    "arn:aws:redshift:<region>:<account>:cluster:<clusterName>",
                    "arn:aws:redshift:<region>:<account>:dbuser:<clusterName>/${redshift:DbUser}",
                    "arn:aws:redshift:<region>:<account>:dbname:<clusterName>/${redshift:DbName}",
                    "arn:aws:redshift:<region>:<account>:dbgroup:<clusterName>/bi_users_group",
                ]
            }
        ]
    }
    				
    			

  7. Name the policy “Redshift-ReadOnly-policy” and click “Create policy”.638F1D27 23E5 4A2F 8351 3F13Ebf6A7F1#Media Blob Url=True&Amp;Id=E6D9B9F7 Ff16 4B5A 851E 162A99C4D39D&Amp;Collection=Contentid Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 21 
    Screenshot 2566 07 02 At 16.55.08 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 22
  8. Go back to the origin tab where we started creating our IAM role
    → click refresh → type “Redshift-ReadOnly-policy” in the search-bar → check the “Redshift-ReadOnly-policy” policy → click “Next”.
    Screenshot 2566 07 02 At 16.56.59 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 23
  9. Name the role “Redshift-ReadOnly-role” and click “Create role” in the lower right corner.
    Screenshot 2566 07 02 At 16.59.54 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 24F0080F98 F453 40Bb 83C7 24E81210A9F2#Media Blob Url=True&Amp;Id=7Ece7E5C F65E 4144 9C4A E4856Fa6E8Db&Amp;Collection=Contentid Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 25
  10. Now that we’ve created the IAM role, go to its description page and copy the role ARN, we’ll use it later on.
    Screenshot 2566 07 02 At 17.08.58 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 26

Configure the IAM Identity Center Application Attributes

In order to configure our application to work against Redshift, we need to configure some application attributes that will guide it “how to connect” to it.

  1. In the IAM Identity Center, go to the Applications panel and choose the application we created earlier.
    Screenshot 2566 07 02 At 17.21.15 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 27
     
  2. Assign users and group you’d like to have permissions to this application → Assign user access to applications in the IAM Identity Center console – AWS IAM Identity Center (successor to AWS Single Sign-On).
    Screenshot 2566 07 02 At 17.25.48 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 28
     
  3. Click “attribute mappings”.
    Screenshot 2566 07 02 At 17.27.54 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 29 
  4. Set the attributes according to the following table and replace the <role_arn> & <idp_arn> placeholder with the ARNs you copied in the previous steps:
AttributeValueExplanation
Subject (default attribute)${user:email}The subject used.
https://aws.amazon.com/SAML/Attributes/RoleSessionName${user:email}The session name created against the cluster.
https://redshift.amazon.com/SAML/Attributes/AutoCreatetrueConfigure the application to create the Redshift user automatically on authentication.
https://aws.amazon.com/SAML/Attributes/Role<role_arn>,<idp_arn>The IAM role and IDP to be used to connect to Redshift.
https://redshift.amazon.com/SAML/Attributes/DbUser${user:email}The DB User name to create.
https://redshift.amazon.com/SAML/Attributes/DbGroupsreadonlyThe DB Group to assign the newly created user to.
Screenshot 2566 07 02 At 17.38.32 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 30

Click “Save changes”.

Create Redshift group & Grant permissions

In this stage, we’ll configure the readonly Redshift group (as defined in the Application attributes in the previous stage) that each user will be assigned to when connecting via the application.

  1. Connect to your Redshift cluster with a privileged user (superuser).
  2. Execute the following SQL script to create the readonly group and assign it read permissions to the public schema (the default schema).
    				
    					create group readonly;
    grant usage on schema public to group readonly;
    grant select on all tables in schema public to group readonly;
    				
    			

Configure the DataGrip client Data Source

:Tada: We’re all set up and finally about to harvest our fruits! :Tada:
In this step, we’ll configure a DataGrip data source that will be used as the connection between us and the Redshift cluster.

  1. Open DataGrip and create a new Redshift data source.
    Screenshot 2566 07 02 At 17.52.46 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 31 
  2. A data source wizard will open for you to configure the connection in, set the following attributes:
    1. Name: Redshift ReadOnly SSO.
    2. Host: your Redshift server endpoint.
    3. User: your email identifier (will be used as the Redshift DB User).
    4. Password: the password you’ve configured in your Identity Source (Okta, PingOne, etc.)
    5. Database: the database you want to connect to.
    6. URL: the url will be mostly configured at this point (because of the DataGrip auto-fill), all that is left for you to do is to change the JDBC url prefix from jdbc:redshift:// to jdbc:redshift:iam://.
      Screenshot 2566 07 02 At 17.57.29 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 32 
  3. Go to the Advanced tab and configure this 3 attributes:
    1. plugin_name: com.amazon.redshift.plugin.BrowserSamlCredentialsProvider – already defined, so edit it.
    2. idp_reponse_timeout: 60 – create a new value.
    3. login_url: <your previously copied SAML application login url> – create a new value.
      Screenshot 2566 07 02 At 18.10.07 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 33 
  4. In the bottom of the data source configuration wizard, click “test connection”.
    Screenshot 2566 07 02 At 18.11.44 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 34938Ff2Bb 46C7 4Cd9 9020 Aa00B134D7B5#Media Blob Url=True&Amp;Id=Ec78F4D0 C3C0 4743 8A1D E5568685C9E7&Amp;Collection=Contentid Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 35
    Once clicked, your browser will open and display the following screen:
    Screenshot 2566 07 02 At 18.14.29 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 36
    If everything is configured properly, you should see the following pop up in DataGrip:
    Screenshot 2566 07 02 At 18.14.34 Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 378B152B94 3Cbd 465A A56F 6Cfc8Cec2C19#Media Blob Url=True&Amp;Id=Ac42272D 34E4 46B6 9Ec4 57583Deb1983&Amp;Collection=Contentid Enabling Redshift Sso Authentication With Aws Iam Identity Center (Multi-Account) 38
    Click OK.

    That’s it! Thank you for reading 🙂