Versions Compared

Old Version 11

changes.mady.by.user Scott Cantor

Saved on

compared with

New Version Current

changes.mady.by.user Scott Cantor

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

See https://docs.aws.amazon.com/redshift/latest/mgmt/generating-user-credentials.html for a large amount of documentation on the general topic of using IAM credentials in AWS together with SAML, the drivers, and a lot of configuration glue to make all this fit together.

Table of Contents

Prerequisite Setup

Warning
title

Here be Dragons!

This is where all the hard stuff is, and there's no way I can come close to documenting it all clearly or accurately. Get help from Amazon if you want to do all this safely. There is a really good chance you'll end up with a security hole if you don't know what you're doing with AWS Roles and Policies, and if you don't test exhaustively. You have been warned.

...

You need an IAM Role defined in AWS with a trust policy that is usable by that IdP and attached to a resource Policy that grants access under at least some conditions to a Redshift cluster. That's a "deep" topic and Amazon has extended their documentation with more examples, but a simple policy we've tested with looks like this:

Redshift IAM Policy
Code Block
languagejs
titleRedshift IAM Policy
collapsetrue
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "redshift:GetClusterCredentials",
            "Resource": [
                "arn:aws:redshift:*:*:dbuser:*/${saml:sub}",
                "arn:aws:redshift:*:*:dbname:*/*"
            ]
        }
    ]
}

...

You need an IdP configured to supply the "one, big, honking" AWS SAML SP (which Amazon identifies as "urn:amazon:webservices"). You need to modify the metadata you give the IdP for this AWS SP so that the IdP believes it can respond to it using the ECP "PAOS" binding. Adding the following as an AssertionConsumerService is sufficient:

...

Addition to AWS SAML metadata at IdP
Code Block
languagexml
    <md:AssertionConsumerService index="2"
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
      Location="https://signin.aws.amazon.com/saml"/>

...

The following steps are needed to get a client ready for use:

  1. Install the JDBC driver/client itself.

  2. Build the Maven project available at https://git.shibboleth.net/git/java-redshift.git to produce the redshift-ecp.jar file. No other Java libraries are required, just that plugin and the JDBC driver.

  3. Configure a custom JDBC data source type in your Java tool of choice.

Step 3 is the wildcard, it's specific to the client tool used. All JDBC client applications typically have some special way they allow you to define "non-standard" driver types for use somewhere in their litany of menu options. When you define a custom data source like this, you get to point it to the set of jars that make up the "driver", in this case the two jars needed. Often you can also create some templates for new connections to use with common properties but this is generally just optional and is best ignored while testing things out.

...

You MUST define at least these:

Name

Description

Example

plugin_name

This points the JDBC driver at the SAML plugin to use, and MUST be set to the example value shown to the right.

net.shibboleth.utilities.amazon.redshift.ECPCredentialsProvider

idp_host

Hostname of the IdP

idp.example.org

Other Useful Properties

Some of these are more useful than others but you'll need to set the user and password at some point, or enter them in real time.

One special extension point is the "ecp_headers" pointer to a property file, which can carry custom HTTP headers. This is particularly useful to provide special authentication features such as Multi-Factor login signaling to the IdP.

Name

Description

Example

idp_port

Port for the IdP

443

ecp_path

Path to IdP's ECP endpoint

/idp/profile/SAML2/SOAP/ECP

user

Username at IdP (NOT the Redshift username)


password

Password at IdP


ecp_template

Classpath resource containing an ECP AuthnRequest template


ecp_tag

XML Element tagname used by IdP for SAML Response

saml2:Response

ecp_headers

Pathname to properties file containing custom HTTP request headers to include


Filter by label (Content by label)
showLabelsfalse
max5
spacesKB
sortmodified
showSpacefalse

...

reversetrue
typepage
cqllabel in ( "ecp" , "amazon" , "redshift" , "jdbc" ) and type = "page" and space = "KB"
labelsamazon redshift jdbc ecp
Page Properties
hiddentrue

Related issues