By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to Enable Redshift as an AWS Managed Application with IAM Identity Center

0

Hi there, I am trying to make Redshift accessible from AWS SSO page as a separate SSO application. We don't use any external Identity Provider and all users are managed from IAM Identity Center by user-groups with policies from the Management Account. Redshift clusters exist inside an OU. Here are the steps I did;

  1. I have done steps of Setting up Redshift as an AWS managed application with IAM Identity Center section from the guide.
  2. Then I added user-groups created from the Management Account.
  3. Integration status from IAM Identity Center connection from Redshift console shows Success
  4. As the final step, there are a couple of SQL commands to run mentioned in IAM Identity Center connection section with an order;
DROP IDENTITY PROVIDER <provider_name> [ CASCADE ]

Followed by

ALTER IDENTITY PROVIDER <idp_name> | NAMESPACE <NAMESPACE> | IAM_ROLE default |
   'arn:aws:isam::<AWS account-id-1>:role/<role-name>'|[DISABLE | ENABLE]

If it helps here is the output of describe-redshift-idc-applications cli command output

> aws redshift describe-redshift-idc-applications --profile data-uat --output json

{
    "RedshiftIdcApplications": [
        {
            "IdcInstanceArn": "arn:aws:sso:::instance/ssoins-********",
            "RedshiftIdcApplicationName": "redshift-iad--<redshift_account_id>--1",
            "RedshiftIdcApplicationArn": "arn:aws:redshift:us-east-1:-********-:redshiftidcapplication:66****-**********-*****460",
            "IdentityNamespace": "AWSIDC",
            "IdcDisplayName": "Amazon-Redshift-data-uat",
            "IamRoleArn": "arn:aws:iam::<redshift_account_id>:role/Redshift-IDC-SSO-Role",
            "IdcManagedApplicationArn": "arn:aws:sso::<management_account_id>:application/ssoins-*******/apl-******",
            "IdcOnboardStatus": "Completed",
            "AuthorizedTokenIssuerList": [],
            "ServiceIntegrations": []
        }
    ]
}

I don't know where to find this <idp_name> and <provider_name> attributes since we are only using IAM IDC. Thanks for the help

Topics
AnalyticsSecurity, Identity, & Compliance
Tags
Amazon RedshiftAWS IAM Identity Center
Language
English
buraktas
asked 4 months ago574 views
2 Answers
0

Hi buraktas,

I don't think you need the Drop command if you didn't use an identity provider before.

Regarding the <idp_name>, I think you can choose whatever you want as name.

Can you check if you have an idp configured?

https://docs.aws.amazon.com/redshift/latest/dg/r_DESC_IDENTITY_PROVIDER.html

DESC IDENTITY PROVIDER *;

Sincerely Heiko

profile picture
HeikoMR
answered 4 months ago
  • buraktas
    4 months ago

    true I didn't use any identity provider before. Thus, I am getting ERROR: identity provider "amazon-redshift-data-uat" does not exist

  • HeikoMR
    4 months ago

    Can you run: DESC IDENTITY PROVIDER *; ?

  • buraktas
    4 months ago

    This also returns empty list. https://docs.aws.amazon.com/redshift/latest/dg/r_SVV_IDENTITY_PROVIDERS.html

    SELECT name, type, instanceid, namespc, params, enabled 
FROM svv_identity_providers 
ORDER BY 1;
  • buraktas
    4 months ago

    I get ERROR: syntax error at or near "*" Position: 47 for that query

  • buraktas
    4 months ago

    it is definitely incomplete.

0

Hi buraktas,

I looked into your issue. Please refer to this blog - https://aws.amazon.com/blogs/big-data/integrate-okta-with-amazon-redshift-query-editor-v2-using-aws-iam-identity-center-for-seamless-single-sign-on/

After you have created new Redshift IAM IDC application, Amazon Redshift database administrator needs to configure new Redshift resources to work in alignment with IAM Identity Center to make sign-in and data access easier. This is performed as part of the steps to create a provisioned cluster or a Serverless workgroup. Refer to section - Enabling IAM Identity Center integration for a new Amazon Redshift provisioned cluster or Amazon Redshift Serverless

If you have an existing provisioned cluster or serverless workgroup that you would like to enable for IAM Identity Center integration, then you can do that by running a SQL command. Refer to section - Associating an IAM Identity Center application with an existing provisioned cluster or Serverless endpoint

Let me know if you have any questions.

Thanks & Regards,

Maneesh Sharma

AWS
aws-msharma
answered 4 months ago
  • buraktas
    4 months ago

    Hey Maneesh, as I mentioned in the post, we don't use any external idp so the okta example won't work in this case. IAM Identity Center itself is the default idp

  • aws-msharma
    4 months ago

    Hi @buraktas, you don't need any external IdP. which step you are currently on and what is the error you are getting? Also, is it possible for you to submit a AWS support case and share with me? this will help to expedite and we can talk on this issue. Thanks.

  • aws-msharma
    4 months ago

    you dont need to run drop and alter command until you have existing identity provider and want to update that. why dont you spin up a new cluster and try ?

  • buraktas
    4 months ago

    Hi @aws-msharma true we don't need any external idp. I already opened a support ticket to AWS team which they need to talk with internal team since the documentation is not clear about setting it up for existing clusters. As you said, drop and alter commands are for clusters configured with existing idp. I created User Groups and IAM roles with same name as suggested from the documentation where the IAM Identity Center is managed from Management account. However, when I try to login with IAM IDC option into QEV2 it fails with "databases can't be listed". The related CaseID is "170319906701489"

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content