...
See https://docs.aws.amazon.com/redshift/latest/mgmt/generating-user-credentials.html for a large amount of documentation on the general topic of using IAM credentials in AWS together with SAML, the drivers, and a lot of configuration glue to make all this fit together.
Table of Contents |
---|
Prerequisite Setup
Warning | |
---|---|
title | Here be Dragons!This is where all the hard stuff is, and there's no way I can come close to documenting it all clearly or accurately. Get help from Amazon if you want to do all this safely. There is a really good chance you'll end up with a security hole if you don't know what you're doing with AWS Roles and Policies, and if you don't test exhaustively. You have been warned. |
...
You need an IAM Role defined in AWS with a trust policy that is usable by that IdP and attached to a resource Policy that grants access under at least some conditions to a Redshift cluster. That's a "deep" topic and Amazon has extended their documentation with more examples, but a simple policy we've tested with looks like this:
Redshift IAM Policy
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "redshift:GetClusterCredentials", "Resource": [ "arn:aws:redshift:*:*:dbuser:*/${saml:sub}", "arn:aws:redshift:*:*:dbname:*/*" ] } ] } |
...
You need an IdP configured to supply the "one, big, honking" AWS SAML SP (which Amazon identifies as "urn:amazon:webservices"). You need to modify the metadata you give the IdP for this AWS SP so that the IdP believes it can respond to it using the ECP "PAOS" binding. Adding the following as an AssertionConsumerService is sufficient:
...
Addition to AWS SAML metadata at IdP
Code Block | ||
---|---|---|
| ||
<md:AssertionConsumerService index="2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://signin.aws.amazon.com/saml"/> |
...
The following steps are needed to get a client ready for use:
Install the JDBC driver/client itself.
Build the Maven project available at https://git.shibboleth.net/git/java-redshift.git to produce the redshift-ecp.jar file. No other Java libraries are required, just that plugin and the JDBC driver.
Configure a custom JDBC data source type in your Java tool of choice.
Step 3 is the wildcard, it's specific to the client tool used. All JDBC client applications typically have some special way they allow you to define "non-standard" driver types for use somewhere in their litany of menu options. When you define a custom data source like this, you get to point it to the set of jars that make up the "driver", in this case the two jars needed. Often you can also create some templates for new connections to use with common properties but this is generally just optional and is best ignored while testing things out.
...
You MUST define at least these:
Name | Description | Example |
---|---|---|
plugin_name | This points the JDBC driver at the SAML plugin to use, and MUST be set to the example value shown to the right. | net.shibboleth.utilities.amazon.redshift.ECPCredentialsProvider |
idp_host | Hostname of the IdP | idp.example.org |
Other Useful Properties
Some of these are more useful than others but you'll need to set the user and password at some point, or enter them in real time.
One special extension point is the "ecp_headers" pointer to a property file, which can carry custom HTTP headers. This is particularly useful to provide special authentication features such as Multi-Factor login signaling to the IdP.
Name | Description | Example |
---|---|---|
idp_port | Port for the IdP | 443 |
ecp_path | Path to IdP's ECP endpoint | /idp/profile/SAML2/SOAP/ECP |
user | Username at IdP (NOT the Redshift username) | |
password | Password at IdP | |
ecp_template | Classpath resource containing an ECP AuthnRequest template | |
ecp_tag | XML Element tagname used by IdP for SAML Response | saml2:Response |
ecp_headers | Pathname to properties file containing custom HTTP request headers to include |
Related articles
Filter by label (Content by label) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
...
|
Page Properties | ||
---|---|---|
| ||
|