Connect Redshift with IAM Identity Center to give users a single sign-on experience
You can manage user and group access to Amazon Redshift data warehouses through trusted-identity propagation. This works through a connection between Redshift and AWS IAM Identity Center, which gives your users a single sign-on experience. This makes it so you can bring in users and groups from your directory and assign permissions directly to them. Subsequently, this connection supports tying in additional tools and services. To illustrate one end-to-end case, you can use an Amazon QuickSight dashboard or Amazon Redshift query editor v2 to access Redshift. Access in this case is based on IAM Identity Center groups. Redshift can determine who a user is and their group memberships. IAM Identity Center also makes it possible to connect and manage identities through a third-party identity provider (IdP) like Okta or PingOne.
After your administrator sets up the connection between Redshift and IAM Identity Center, they can configure fine-grained access based on identity-provider groups to authorize user access to data.
The benefits of Redshift integration with AWS IAM Identity Center
Using IAM Identity Center with Redshift can benefit your organization in the following ways:
Dashboard authors in Amazon QuickSight can connect to Redshift data sources without having to re-enter passwords or requiring an administrator to set up IAM roles with complex permissions.
IAM Identity Center provides a central location for your workforce users in AWS. You can create users and groups directly in IAM Identity Center or connect existing users and groups that you manage in a standards-based identity provider like Okta, PingOne, or Microsoft Entra ID (Azure AD). IAM Identity Center directs authentication to your chosen source of truth for users and groups, and it maintains a directory of users and groups for access by Redshift. For more information, see Manage your identity source and Supported identity providers in the AWS IAM Identity Center User Guide.
You can share one IAM Identity Center instance with multiple Redshift clusters and workgroups with a simple auto-discovery and connect capability. This makes it fast to add clusters without the extra effort of configuring the IAM Identity Center connection for each, and it ensures that all clusters and workgroups have a consistent view of users, their attributes, and groups. Note that your organization's IAM Identity Center instance must be in the same region as any Redshift datashares you're connecting to.
Because user identities are known and logged along with data access, it's easier for you to meet compliance regulations through auditing user access in AWS CloudTrail.
Setting up IAM Identity Center integration with Amazon Redshift
Your Amazon Redshift cluster administrator or Amazon Redshift Serverless administrator must perform several steps to configure Redshift as an IAM Identity Center enabled application. This makes it so Redshift can discover and connect to IAM Identity Center automatically to receive sign-in and user directory services. After this, when your Redshift administrator creates a cluster or workgroup, they can enable the new data warehouse to use IAM Identity Center to manage database access.
The point of enabling Redshift as an IAM Identity Center managed application is so you can control user and group permissions from within IAM Identity Center, or from a third-party identity provider that's integrated with it. When your database users sign in to a Redshift database, for example an analyst or a data scientist, it checks their groups in IAM Identity Center and these match up with role names in Redshift. In this manner, a group that defines the name for a Redshift database role can access a set of tables for sales analytics, for example. The sections that follow show how to set this up.
Prerequisites
These are the prerequisites for integrating IAM Identity Center with Amazon Redshift:
Account configuration – You must configure IAM Identity Center in your AWS organization's management account if you plan to have cross-account use cases, or if you use Redshift clusters in different accounts with the same IAM Identity Center instance. This includes configuring your identity source. For more information, see Getting Started, workforce identities, and supported identity providers in the AWS IAM Identity Center User Guide. You must ensure that you have created users or groups in IAM Identity Center, or synchronized users and groups from your identity source before you can assign them to data in Redshift.
Note
You have an option to use an account instance of IAM Identity Center, provided that Redshift and IAM Identity Center are in the same account. You can create this instance using a widget when you create and configure a Redshift cluster or workgroup.
Configuring a trusted token issuer – In some cases, you may need to use a trusted token issuer, which is an entity that can issue and verify trust tokens. Before you can do so, preliminary steps are required before the Redshift administrator who configures IAM Identity Center integration can select the trusted token issuer and add the necessary attributes to complete the configuration. This can include configuring an external identity provider to serve as a trusted token issuer and adding its attributes in the IAM Identity Center console. To complete these steps, see Using applications with a trusted token issuer.
Note
Setting up a trusted token issuer isn't required for all external connections. Connecting to your Redshift database with Amazon Redshift query editor v2 doesn't require trusted-token issuer configuration. But it can apply for third-party applications such as dashboards or custom applications that authenticate with your identity provider.
Configuring an IAM role or roles – The sections that follow mention permissions that must be configured. You will have to add permissions per IAM best practices. Specific permissions are detailed in the procedures that follow.
For more information, see Getting Started with IAM Identity Center.
Configuring your identity provider to work with IAM Identity Center
The first step in controlling user and group identity management is to connect to IAM Identity Center and configure your identity provider. You can use IAM Identity Center itself as your identity provider, or you can connect a third-party identity store, such as Okta, for instance. For more information about setting up the connection to and configuring your identity provider, see Connect to an external identity provider in the IAM Identity Center user guide. Make sure at the end of this process that you have a small collection of users and groups added to IAM Identity Center, for test purposes.
Administrative Permissions
Permissions required for Redshift/IAM Identity Center application lifecycle management
You must create an IAM identity, which a Redshift administrator uses to configure Redshift for use with IAM Identity Center. Most commonly, you would create an IAM role with permissions and assign it to other identities as required. It must have the permissions listed to perform the following actions.
Creating the Redshift/IAM Identity Center application
sso:PutApplicationAssignmentConfiguration– For security.sso:CreateApplication– Used to create an IAM Identity Center application.sso:PutApplicationAuthenticationMethod– Grants Redshift authentication access.sso:PutApplicationGrant– Used to change the trusted token issuer information.sso:PutApplicationAccessScope– For Redshift IAM Identity Center application setup. This includes for AWS Lake Formation and for Amazon S3 Access Grants.redshift:CreateRedshiftIdcApplication– Used to create the Redshift IDC application.
Describing the Redshift/IAM Identity Center application
sso:GetApplicationGrant– Used to list trusted token issuer information.sso:ListApplicationAccessScopes– For Redshift IAM Identity Center application setup to list downstream integrations, such as for AWS Lake Formation and S3 Access Grants.redshift:DescribeRedshiftIdcApplications– Used to describe existing IAM Identity Center applications.
Changing the Redshift/IAM Identity Center application
redshift:ModifyRedshiftIdcApplication– Used to change an existing Redshift application.sso:UpdateApplication– Used to update an IAM Identity Center application.sso:GetApplicationGrant– Gets the trust token issuer information.sso:ListApplicationAccessScopes– For Redshift IAM Identity Center application setup.sso:DeleteApplicationGrant– Deletes the trust token issuer information.sso:PutApplicationGrant– Used to change the trusted token issuer information.sso:PutApplicationAccessScope– For Redshift IAM Identity Center application setup. This includes for AWS Lake Formation and for Amazon S3 Access Grants.sso:DeleteApplicationAccessScope– For deleting Redshift IAM Identity Center application setup. This includes for AWS Lake Formation and for Amazon S3 Access Grants.
Deleting the Redshift/IAM Identity Center application
sso:DeleteApplication– Used to delete an IAM Identity Center application.redshift:DeleteRedshiftIdcApplication– Gives the ability to delete an existing Redshift IDC application.
Permissions required for Redshift/query editor v2 application lifecycle management
You must create an IAM identity, which a Redshift administrator uses to configure Redshift for use with IAM Identity Center. Most commonly, you would create an IAM role with permissions and assign it to other identities as required. It must have the permissions listed to perform the following actions.
Creating the query editor v2 application
redshift:CreateQev2IdcApplication– Used to create the QEV2 application.sso:CreateApplication– Gives the ability to create an IAM Identity Center application.sso:PutApplicationAuthenticationMethod– Grants Redshift authentication access.sso:PutApplicationGrant– Used to change the trusted token issuer information.sso:PutApplicationAccessScope– For Redshift IAM Identity Center application setup. This includes query editor v2.sso:PutApplicationAssignmentConfiguration– For security.
Describe the query editor v2 application
redshift:DescribeQev2IdcApplications– Used to describe the IAM Identity Center QEV2 application.
Change the query editor v2 application
redshift:ModifyQev2IdcApplication– Used to change the IAM Identity Center QEV2 application.sso:UpdateApplication– Used to change the IAM Identity Center QEV2 application.
Delete the query editor v2 application
redshift:DeleteQev2IdcApplication– Used to delete the QEV2 application.sso:DeleteApplication– Used to delete the QEV2 application.
Note
In the Amazon Redshift SDK, the following APIs aren’t available:
CreateQev2IdcApplication
DescribeQev2IdcApplications
ModifyQev2IdcApplication
DeleteQev2IdcApplication
These actions are specific to performing IAM Identity Center integration with Redshift QEV2 in the AWS console. For more information, see Actions defined by Amazon Redshift.
Permissions required for the database administrator to connect new resources in the console
These permissions are required to connect new provisioned clusters or Amazon Redshift Serverless workgroups during the creation process. If you have these permissions, a selection appears in the console to choose to connect to the IAM Identity Center managed application for Redshift.
redshift:DescribeRedshiftIdcApplicationssso:ListApplicationAccessScopessso:GetApplicationAccessScopesso:GetApplicationGrant
As a best practice, we recommend attaching permissions policies to an IAM role and then assigning it to users and groups as needed. For more information, see Identity and access management in Amazon Redshift.
Setting up Redshift as an AWS managed application with IAM Identity Center
Before IAM Identity Center can manage identities for an Amazon Redshift provisioned cluster or an Amazon Redshift Serverless workgroup, the Redshift administrator must complete the steps to make Redshift an IAM Identity Center managed application:
Select IAM Identity Center integration in the Amazon Redshift or Amazon Redshift Serverless console menu, and then select Connect to IAM Identity Center. From there you step through a series of selections to populate the properties for IAM Identity Center integration.
Choose a display name and a unique name for Redshift's IDC managed application.
Specify the namespace for your organization. This is typically an abbreviated version of your organization's name. It's added as a prefix for your IDC-managed users and roles in the Redshift database.
Select an IAM role to use. This IAM role should be separate from others used for Redshift, and we recommend that it isn't used for other purposes. The specific policy permissions required are the following:
sso:DescribeApplication– Required to create an identity provider (IdP) entry in the catalog.sso:DescribeInstance– Used to manually create IdP federated roles or users.
Configure client connections and trusted token issuers. Configuring trusted token issuers facilitates trusted identity propagation by setting up a relationship with an external identity provider. Identity propagation makes it possible for a user, for example, to sign into one application and access specific data in another application. This allows users to gather data from disparate locations more seamlessly. At this step, in the console, you set attributes for each trusted token issuer. The attributes include the name and the audience claim (or aud claim), which you might have to get from the tool's or service's configuration attributes. You might also need to supply the application name from the third-party tool's JSON Web Token (JWT).
Note
The
aud claimrequired from each third-party tool or service can vary, based on the token type, which can be an access token issued by an identity provider, or another type, like an ID token. Each vendor can be different. When you’re implementing trusted-identity propagation and integrating with Redshift, it’s required to supply the correct aud value for the token type that the third-party tool sends to AWS. Check the recommendations of your tool or service vendor.For detailed information regarding trusted-identity propagation, see How trusted identity propagation works. Also, refer to the beta documentation for IAM Identity Center that accompanies this documentation.
After the Redshift administrator finishes the steps and saves the configuration, the IAM Identity Center properties appear in the Redshift console. You can also query the system view SVV_IDENTITY_PROVIDERS to verify the application's properties. These include the application name and the namespace. You use the namespace as a prefix for Redshift database objects that are associated with the application. Completing these tasks makes Redshift an IAM Identity Center enabled application. The properties in the console include the integration status. It says Enabled when the integration is completed. After this process, IAM Identity Center integration can be enabled on each new cluster.
After configuration, you can include users and groups from IAM Identity Center in Redshift by choosing the Users or Groups tab and choosing Assign.
Enabling IAM Identity Center integration for a new Amazon Redshift cluster or Amazon Redshift Serverless workgroup
Your database administrator configures new Redshift resources to work in alignment with IAM Identity Center to make sign-in and data access easier. This is performed as part of the steps to create a provisioned cluster or a Serverless workgroup. Anyone with permissions to create Redshift resources can perform these IAM Identity Center integration tasks. When you create a provisioned cluster, you start by choosing Create Cluster in the Amazon Redshift console. The steps that follow show how to enable IAM Identity Center management for a database. (It doesn't include all of the steps to create a cluster.)
Choose Enable for <your cluster name> in the section for IAM Identity Center integration in the create-cluster steps.
There's a step in the process when you enable integration. You do this by choosing Enable IAM Identity Center integration in the console.
For the new cluster or workgroup, create database roles in Redshift using SQL commands. The following is the command:
CREATE ROLE <idcnamespace:rolename>;The namespace and role name are the following:
IAM Identity Center namespace prefix – This is the namespace you defined when you set up the connection between IAM Identity Center and Redshift.
Role name – This Redshift database role must match the group name in IAM Identity Center.
Redshift connects with IAM Identity Center and fetches the information needed to create and map the database role to the IAM Identity Center group.
Note that when a new data warehouse is created, the IAM role specified for IDC integration is automatically attached to the provisioned cluster or Amazon Redshift Serverless workgroup. After you finish entering the required cluster metadata and create the resource, you can check the status for IAM Identity Center integration in the properties. If your group names in IAM Identity Center have spaces, it's required to use quotes in SQL when you create the matching role.
After you enable the Redshift database and create roles, you are ready to connect to the database with Amazon Redshift query editor v2 or Amazon QuickSight. The details are explained further in sections that follow.
Setting up the default RedshiftIdcApplication using the API
Setup is performed by your identity administrator. Using the API, you create and populate a RedshiftIdcApplication, which represents
the Redshift application within IAM Identity Center.
To start, you can create users and add them to groups in IAM Identity Center. You do this in the AWS console for IAM Identity Center (IDC).
Call
create-redshift-idc-applicationto create an IDC application and make it compatible with Redshift usage. You create the application by populating the required values. The display name is the name to display on the IDC dashboard. The IAM role ARN is an ARN that has permissions to IAM Identity Center and is also assumable by Redshift.aws redshift create-redshift-idc-application ––idc-instance-arn 'arn:aws:sso:::instance/ssoins-1234a01a1b12345d' ––identity-namespace 'MYCO' ––idc-display-name 'TEST-NEW-APPLICATION' ––iam-role-arn 'arn:aws:redshift:us-east-1:012345678901:role/TestRedshiftRole' ––redshift-idc-application-name 'myredshiftidcapplication'The following example shows a sample
RedshiftIdcApplicationresponse that's returned from the call tocreate-redshift-idc-application."RedshiftIdcApplication": { "IdcInstanceArn": "arn:aws:sso:::instance/ssoins-1234a01a1b12345d", "RedshiftIdcApplicationName": "test-application-1", "RedshiftIdcApplicationArn": "arn:aws:redshift:us-east-1:012345678901:redshiftidcapplication:12aaa111-3ab2-3ab1-8e90-b2d72aea588b", "IdentityNamespace": "MYCO", "IdcDisplayName": "Redshift-Idc-Application", "IamRoleArn": "arn:aws:redshift:us-east-1:012345678901:role/TestRedshiftRole", "IdcManagedApplicationArn": "arn:aws:sso::012345678901:application/ssoins-1234a01a1b12345d/apl-12345678910", "IdcOnboardStatus": "arn:aws:redshift:us-east-1:123461817589:redshiftidcapplication", "RedshiftIdcApplicationArn": "Completed", "AuthorizedTokenIssuerList": [ "TrustedTokenIssuerArn": ..., "AuthorizedAudiencesList": [...]... ]}You can use
create-application-assignmentto assign particular groups or individual users to the managed application in IAM Identity Center. By doing this, you can specify groups to manage through IAM Identity Center. If the database administrator creates database roles in Redshift, group names in IAM Identity Center map to the role names in Redshift. The roles control permissions in the database. For more information, see Assign user access to applications in the IAM Identity Center console.After you enable the application, call
create-clusterand include the Redshift managed application ARN from IAM Identity Center. Doing this associates the cluster with the managed application in IAM Identity Center.
Associating an IAM Identity Center application with an existing cluster or workgroup
If you have an existing cluster or workgroup that
you would like to enable for IAM Identity Center integration, you can do it by running a SQL command. You run the following command to enable
integration. It's required that a database administrator run the query and that the connection between Redshift and IAM Identity Center has already been set up. When you set ENABLE, it enables IAM Identity Center to provide
identity management for the cluster or workgroup.
ALTER IDENTITY PROVIDER <idp_name> | NAMESPACE <namespace> | IAM_ROLE default | 'arn:aws:iam::<AWS account-id-1>:role/<role-name>' | [DISABLE | ENABLE]
You can drop an existing identity provider. The following example shows how CASCADE deletes users and roles attached to the identity provider.
DROP IDENTITY PROVIDER <provider_name> [ CASCADE ]
Setting up user permissions
An administrator configures permissions to various resources, based on users' identity attributes and group memberships, within their identity provider or within IAM Identity Center directly. For example, the identity-provider administrator can add a database engineer to a group appropriate to their role. This group name maps to a Redshift database role name. The role provides or restricts access to specific tables or views in Redshift.
Administrator personas for connecting applications
The following are personas that are key to connecting analytics applications to the IAM Identity Center managed application for Redshift:
Application administrator – Creates an application and configures which services it will enable identity-token exchanges with. This administrator also specifies which users or groups have access to the application.
Data administrator – Configures fine-grained access to data. Users and groups in IAM Identity Center can map to specific permissions.
Connecting to Amazon Redshift with IAM Identity Center through Amazon QuickSight
The following shows how to use Amazon QuickSight to authenticate with Redshift when it's connected to and access is managed through IAM Identity Center: Authorizing connections from Amazon QuickSight to Amazon Redshift clusters. These steps apply to Amazon Redshift Serverless too.
Connecting to Amazon Redshift with IAM Identity Center through Amazon Redshift query editor v2
Upon completing the steps to set up an IAM Identity Center connection with Redshift, the user can access the database and appropriate objects in the database through their IAM Identity Center-based, namespace-prefixed identity. For more information about connecting to Redshift databases with query editor v2 sign-in, see Working with query editor v2.
Querying data through AWS Lake Formation
Using AWS Lake Formation makes it easier to centrally govern and secure your data lake, and to provide data access. Configuring identity propagation to Lake Formation through IAM Identity Center and Redshift makes it so an administrator can allow fine-grained access to an Amazon S3 data lake, based on the organization's identity-provider (IdP) groups. These groups are managed through IAM Identity Center. This section shows how to configure a couple use cases, querying from a data lake and querying from a data share, that demonstrate how to leverage IAM Identity Center with Redshift to connect to Lake Formation-governed resources.
Using an IAM Identity Center and Redshift connection to query a data lake
These steps cover a use case where you use IAM Identity Center connected to Redshift to query a data lake that's governed by Lake Formation.
Prerequisites
This procedure has several prerequisite steps:
IAM Identity Center must be set up to support authentication and identity management with Redshift. You can enable IAM Identity Center from the console and select an identity-provider (IdP) source. After this, synchronize a set of your IdP users with IAM Identity Center. You must also set up a connection between IAM Identity Center and Redshift, following the steps detailed previously in this document.
Create a new Amazon Redshift cluster and enable identity management through IAM Identity Center in the configuration steps.
Create a managed IAM Identity Center application for Lake Formation and configure it. This follows setting up the connection between IAM Identity Center and Redshift. The steps are the following:
In the AWS CLI, use the
modify-redshift-idc-applicationcommand to enable the Lake Formation service integration with the IAM Identity Center managed application for Redshift. This call includes theservice-integrationsparameter, which is set to a configuration string value that enables authorization to Lake Formation.Configure Lake Formation by using the
create-lake-formation-identity-center-configurationcommand. This creates an IAM Identity Center application for Lake Formation, which is visible in the IAM Identity Center portal. The administrator must set the––cli-input-jsonargument, whose value is the path to a JSON file that uses the standard format for all AWS CLI API calls. You must include values for the following:CatalogId– The Lake Formation catalog ID.InstanceArn– The IAM Identity Center instance ARN value.
After the administrator completes the prerequisite configuration, the database administrator can create an external schema for the purpose of querying the data lake.
The administrator creates the external schema – The Redshift database administrator connects to the database and creates an external schema, using the following SQL statement:
CREATE EXTERNAL SCHEMA if not exists my_external_schema from DATA CATALOG database 'my_lf_integrated_db' catalog_id '12345678901234';Note that specifying an IAM role isn't required in this case, because access is managed through IAM Identity Center.
-
The administrator grants permissions – The administrator grants usage to an IAM Identity Center group, which grants permissions on Redshift resources. This is done by running a SQL statement like the following:
GRANT USAGE ON SCHEMA "my_external_schema" to "MYCO:sales";Subsequently, the administrator grants Lake Formation permissions on objects, based on requirements for the organization, using the AWS CLI:
aws lakeformation grant-permissions ... Users run queries – At this point, an IAM Identity Center user that's part of the sales group, for illustration purposes, can log in via query editor v2 to the Redshift database. Then they can run a query that accesses a table in the external schema, like the following sample:
SELECT * from my_external_schema.table1;
Using an IAM Identity Center and Redshift connection to connect to a datashare
You can access a datashare from a different Redshift data warehouse when access is managed through IAM Identity Center. To do this, you run a query to set up an external database. Prior to completing these steps, it's assumed that you have a connection set up between Redshift and IAM Identity Center, and you've created the AWS Lake Formation application, as detailed in the previous procedure.
Creating the external database – The administrator creates an external database for data sharing, referencing it through its ARN. The following is a sample that shows how to do it:
CREATE DATABASE "redshift_external_db" FROM ARN 'arn:aws:glue:us-east-1:123456789012:database/redshift_external_db-iad' WITH NO DATA CATALOG SCHEMA;In this use case, where you are using IAM Identity Center with Redshift for identity management, the IAM role isn't included.
The admin sets up permissions – After creating a database, the administrator grants usage to an IAM Identity Center group. This grants permissions on Redshift resources:
GRANT USAGE ON DATABASE "my_external_db" to "MYCO:sales";The administrator also grants Lake Formation permissions on objects, using the AWS CLI:
aws lakeformation grant-permissions ...Users run queries – A user from the sales group can query a table in the database, based on the permissions assigned:
select * from redshift_external_db.public.employees;
For more information about granting permissions on a data lake and granting permissions on data shares, see Granting permissions to users and groups. For more information about granting usage to a schema or to a database, see GRANT.
Integrating your application or tool with OAuth using a trusted token issuer
You can add functionality to client tools you create to connect to Redshift by means of the IAM Identity Center connection. If you already configured Redshift integration to IAM Identity Center, use the properties detailed in this section to set up a connection.
Authentication plugin for connecting to Redshift using IAM Identity Center
IdpTokenAuthPlugin provides connection properties and facilitates authentication with IAM Identity Center. It accepts
an access token from IAM Identity Center or an OpenID Connect (OIDC) JSON web token (JWT) from any web identity provider linked to IAM Identity Center.
If you're using an Amazon Redshift driver, you can use IdpTokenAuthPlugin for authentication to Redshift with IAM Identity Center. (You might have to download and use the
most recent Redshift driver version to ensure that the functionality is available. The drivers are detailed in the limitations section.) This plugin accepts
an IAM Identity Center access token or an OIDC JWT from any web identity provider linked to IAM Identity Center. The following table details the connection options to use for successful authentication.
| Driver | Connection option key | Value | Notes |
|---|---|---|---|
JDBC |
|
com.amazon.redshift.plugin.IdpTokenAuthPlugin |
You must enter the fully-qualified class name of the plugin when you connect. |
ODBC |
|
IdpTokenAuthPlugin |
|
Python |
|
IdpTokenAuthPlugin |
There is no |
The plugin has these additional connection options:
token – An IAM Identity Center provided access token or an OpenID Connect (OIDC) JSON Web Token (JWT) provided by a web identity provider that's linked with IAM Identity Center. Your application must generate this token by authenticating the user of your application with IAM Identity Center or an identity provider linked with IAM Identity Center.
token_type – The type of token used for the
IdpTokenAuthPlugin. You can specify values for the following options:ACCESS_TOKEN – Provide this if you use an IAM Identity Center provided access token.
EXT_JWT – Provide this if you use an OpenID Connect (OIDC) JSON Web Token (JWT) provided by a web-based identity provider that's integrated with IAM Identity Center.
You must enter these values in the connection properties of the tool you create and connect with. For more information, see the connection-options documentation for each respective driver:
Limitations
These limitations apply:
Plugin drivers – The
IdpTokenAuthPluginis only available through AWS Redshift drivers. The minimum required driver versions to use this functionality are the following:JDBC driver – v2.1.0.19
ODBC driver – v2.0.0.11
Python connector – v2.0.915
Authorization grant type – The
device_codeauthorization grant type isn't supported for generating an IAM Identity Center access token for Redshift. You can use query editor v2 if you want to use IAM Identity Center authorization and authentication directly.Browser security settings – Your internet browser's security and privacy settings, particularly those that control secure cookie settings, such as Firefox's Total Cookie Protection feature, can result in blocked connection attempts from query editor v2 to your Redshift database. To remediate the issue, you can add the query editor v2 console site URL to the browser's tracking-protection exception list. To do this in Firefox, click the shield in the browser's address bar and switch the toggle to turn off tracking protection for query editor v2. In Chrome, if you are using incognito mode, click the eye icon in the address bar to allow third-party cookies for query editor v2.
No support for enhanced VPC – Enhanced VPC isn't supported when you configure Redshift trusted identity propagation with IAM Identity Center. For more information about enhanced VPC, see Enhanced VPC routing in Amazon Redshift.
Idle Amazon Redshift Serverless workgroup – When you configure integration between Amazon Redshift Serverless and IAM Identity Center, note that when the Amazon Redshift Serverless database is in an idle state, not processing any workloads, it can remain paused when you connect with an IAM Identity Center identity. To remedy this, log in with another authentication method to resume the Serverless workgroup.
Invalid-scope error – Following integration of a Redshift provisioned cluster or Serverless workgroup with IAM Identity Center for identity management, it's possible for a user to receive the following error when they attempt to connect to a Redshift database from query editor v2 (QEV2): Invalid scope. User credentials are not authorized to connect to Redshift. In this case, in order for query editor v2 to successfully connect and authenticate a user via IAM Identity Center to access the correct resources, an administrator must assign the user to the Redshift IAM Identity Center application through the Redshift console. (This is completed under IAM Identity Center connections.) Following this, the user can establish a successful connection after one hour, which is the limit of IAM Identity Center session caching.
