- Newest
- Most votes
- Most comments
The issue you're facing with setting default privileges for federated (IdP) users in Amazon Redshift is due to the way Redshift handles these types of users.
In Redshift, the default privileges are typically set for specific user names, and Redshift does not automatically recognize the federated user names in the same way as native Redshift users.
The workaround you mentioned, where users execute the ALTER DEFAULT PRIVILEGES
command without the FOR USER
clause, is the recommended approach in this case. This will allow the users with the specified role to gain the necessary privileges, even though the admin/superuser cannot directly set the default privileges for the federated users.
Here's the steps you can follow:
- Have the federated users (with the
oauth_aad:ExampleCom_Engineer
role) execute the following command:
ALTER DEFAULT PRIVILEGES IN SCHEMA example_schema GRANT SELECT ON TABLES TO ROLE "oauth_aad:ExampleCom_Engineer";
This will set the default privileges for all tables created in the example_schema
schema by the federated users to allow the oauth_aad:ExampleCom_Engineer
role to select from those tables.
- Alternatively, you can have the federated users run the following command to grant the necessary privileges on specific tables:
GRANT SELECT ON ALL TABLES IN SCHEMA example_schema TO ROLE "oauth_aad:ExampleCom_Engineer";
This will grant the SELECT
privilege on all tables in the example_schema
schema to the oauth_aad:ExampleCom_Engineer
role.
Unfortunately, as an admin/superuser, you cannot directly set the default privileges for federated users in Redshift due to the way Redshift handles these types of users. The best you can do is to provide the necessary guidance to the federated users and have them execute the appropriate commands to grant the required privileges.
If you need more control over the default privileges for federated users, you may want to consider exploring alternative authentication and authorization mechanisms, such as using AWS Identity and Access Management (IAM) policies to manage access to your Redshift resources.
Relevant content
- asked a year ago
- Accepted Answerasked 2 months ago
- asked 4 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
Thanks for the response @JonQ, It would be great if the future Roadmap has plans to better integrate idP users with Redshift. In addition, I would like to read any available technical documentation to understand the precise differences between idP users and Redshift native users.
The current docs available here don't do full justice: https://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-access-control-native-idp.html