AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

How to Enable Redshift as an AWS Managed Application with IAM Identity Center

0

Hi there, I am trying to make Redshift accessible from AWS SSO page as a separate SSO application. We don't use any external Identity Provider and all users are managed from IAM Identity Center by user-groups with policies from the Management Account. Redshift clusters exist inside an OU. Here are the steps I did;

  1. I have done steps of Setting up Redshift as an AWS managed application with IAM Identity Center section from the guide.
  2. Then I added user-groups created from the Management Account.
  3. Integration status from IAM Identity Center connection from Redshift console shows Success
  4. As the final step, there are a couple of SQL commands to run mentioned in IAM Identity Center connection section with an order;
DROP IDENTITY PROVIDER <provider_name> [ CASCADE ]

Followed by

ALTER IDENTITY PROVIDER <idp_name> | NAMESPACE <NAMESPACE> | IAM_ROLE default |
   'arn:aws:isam::<AWS account-id-1>:role/<role-name>'|[DISABLE | ENABLE]

If it helps here is the output of describe-redshift-idc-applications cli command output

> aws redshift describe-redshift-idc-applications --profile data-uat --output json

{
    "RedshiftIdcApplications": [
        {
            "IdcInstanceArn": "arn:aws:sso:::instance/ssoins-********",
            "RedshiftIdcApplicationName": "redshift-iad--<redshift_account_id>--1",
            "RedshiftIdcApplicationArn": "arn:aws:redshift:us-east-1:-********-:redshiftidcapplication:66****-**********-*****460",
            "IdentityNamespace": "AWSIDC",
            "IdcDisplayName": "Amazon-Redshift-data-uat",
            "IamRoleArn": "arn:aws:iam::<redshift_account_id>:role/Redshift-IDC-SSO-Role",
            "IdcManagedApplicationArn": "arn:aws:sso::<management_account_id>:application/ssoins-*******/apl-******",
            "IdcOnboardStatus": "Completed",
            "AuthorizedTokenIssuerList": [],
            "ServiceIntegrations": []
        }
    ]
}

I don't know where to find this <idp_name> and <provider_name> attributes since we are only using IAM IDC. Thanks for the help

주제
분석보안, 신원 및 규정 준수
태그
아마존 RedshiftAWS IAM 자격 증명 센터
언어
English
buraktas
질문됨 5달 전620회 조회
2개 답변
0

Hi buraktas,

I don't think you need the Drop command if you didn't use an identity provider before.

Regarding the <idp_name>, I think you can choose whatever you want as name.

Can you check if you have an idp configured?

https://docs.aws.amazon.com/redshift/latest/dg/r_DESC_IDENTITY_PROVIDER.html

DESC IDENTITY PROVIDER *;

Sincerely Heiko

profile picture
HeikoMR
답변함 5달 전
0

Hi buraktas,

I looked into your issue. Please refer to this blog - https://aws.amazon.com/blogs/big-data/integrate-okta-with-amazon-redshift-query-editor-v2-using-aws-iam-identity-center-for-seamless-single-sign-on/

After you have created new Redshift IAM IDC application, Amazon Redshift database administrator needs to configure new Redshift resources to work in alignment with IAM Identity Center to make sign-in and data access easier. This is performed as part of the steps to create a provisioned cluster or a Serverless workgroup. Refer to section - Enabling IAM Identity Center integration for a new Amazon Redshift provisioned cluster or Amazon Redshift Serverless

If you have an existing provisioned cluster or serverless workgroup that you would like to enable for IAM Identity Center integration, then you can do that by running a SQL command. Refer to section - Associating an IAM Identity Center application with an existing provisioned cluster or Serverless endpoint

Let me know if you have any questions.

Thanks & Regards,

Maneesh Sharma

AWS
aws-msharma
답변함 4달 전
  • buraktas
    4달 전

    Hey Maneesh, as I mentioned in the post, we don't use any external idp so the okta example won't work in this case. IAM Identity Center itself is the default idp

  • aws-msharma
    4달 전

    Hi @buraktas, you don't need any external IdP. which step you are currently on and what is the error you are getting? Also, is it possible for you to submit a AWS support case and share with me? this will help to expedite and we can talk on this issue. Thanks.

  • aws-msharma
    4달 전

    you dont need to run drop and alter command until you have existing identity provider and want to update that. why dont you spin up a new cluster and try ?

  • buraktas
    4달 전

    Hi @aws-msharma true we don't need any external idp. I already opened a support ticket to AWS team which they need to talk with internal team since the documentation is not clear about setting it up for existing clusters. As you said, drop and alter commands are for clusters configured with existing idp. I created User Groups and IAM roles with same name as suggested from the documentation where the IAM Identity Center is managed from Management account. However, when I try to login with IAM IDC option into QEV2 it fails with "databases can't be listed". The related CaseID is "170319906701489"

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠