...
See https://docs.aws.amazon.com/redshift/latest/mgmt/generating-user-credentials.html for a large amount of documentation on the general topic of using IAM credentials in AWS together with SAML, the drivers, and a lot of configuration glue to make all this fit together.
Table of Contents |
---|
Prerequisite Setup
See the Amazon Redshift ECP Plugin for JDBC topic for this discussion, it applies here as well.
...
The following steps are needed to get a client ready for use:
Install the ODBC driver/client itself.
Build the Visual Studio project available at https://git.shibboleth.net/git/cpp-ecp.git to produce the ecp.exe executable file.
Install a usable SSL-capable version of the curl.exe utility. It's overkill, but one option is to install the Shibboleth SP software for Windows, which includes a copy and places the necessary libraries on the system path for you.
Validating Install
The ODBC interactions can get very tricky to debug, so it's best to do some testing from the command line without involving it.
...
Next, try to run a transaction with the ecp.exe utility built in step 2 above against your IdP. You'll need several parameters passed on the command line, and they're passed to the utility in name=value pairs. At least the following need to be set:
ecp_curl=C:\Utilities\curl.exe
Point this wherever you successfully installed curl.exe and managed to make it work in the step above.
ecp_issuer=urn:amazon:webservices
The is the SP entityID of Amazon. It's not valid, it should be noted, but there's not much we can do about that.
idp_host=idp.example.org
Obviously this is where your IdP lives
ecp_nobase64=1
This helps with testing by echoing the raw response XML from the IdP and not the encoded form.
You'll also need user and password to provide the credentials to use.
...
What you're doing with the INI file is baking in a handful of the properties that will be passed to the ecp.exe program so the driver knows how to call it. The INI file has a section named with some kind of profile string that you'll use later to identify the configuration the driver should use.
...
.aws/config
collapse | true
---|
Code Block |
[awstest] plugin_name=C:\Utilities\ecp.exe ecp_curl=C:\Utilities\curl.exe #ecp_hidden=1 ecp_issuer=urn:amazon:webservices idp_host=idp.example.org preferred_role=arn:aws:iam::12345678901:role/Redshift_test |
...
You MUST define at least these:
Name | Description | Example |
---|---|---|
plugin_name | This points the ODBC driver at the ecp.exe utility so it knows what to launch. | C:\Utilities\ecp.exe |
idp_host | Hostname of the IdP | idp.example.org |
ecp_issuer | Name of Amazon SP | urn:amazon:webservices |
preferred_role | This isn't just "preferred", it's literally required to tell the system which AWS role you're using. You could omit this if you only operate in one role ever, but if the IdP ever includes more than one you'll end up with a failure, so it's best to specify it. | arn:aws:iam::12345678901:role/Redshift_test |
Other Properties
Note that unlike the JDBC case, you fully control the command line, which means
Name | Description | Example |
---|---|---|
idp_port | Port for the IdP | 443 |
ecp_cacert | Path to a file containing one or more CA certificates, used to verify the IdP certificate if the curl default behavior does not allow implicit validation. | C:\Utilities\curl-ca-bundle.crt |
ecp_path | Path to IdP's ECP endpoint | /idp/profile/SAML2/SOAP/ECP |
ecp_curl | Path to curl.exe utility, if it's not in the path | C:\Utilities\curl.exe |
ecp_command | Allows total control of the command to talk to the IdP if you want to get creative, add custom curl parameters, etc. This is the hook to allow setting HTTP headers and other weirdness. | |
ecp_hidden | Value irrelevant. If set, this tells the utility to hide its console window. Use once you've tested and things are working. | 1 |
ecp_nobase64 | Value irrelevant. If set, it sends the raw XML to stdout instead of base64-encoded. Just for debugging command line or for other use cases, the ODBC client requires the encoding. | 1 |
ecp_soap | Value irrelevant. If set, it sends the whole SOAP XML envelope back instead of trimming the response out. Just for debugging command line or for other use cases, the ODBC client requires the response only. | 1 |
ecp_tag | XML Element tagname used by IdP for SAML Response | saml2:Response |
Related articles
Filter by label (Content by label) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
...
|
Page Properties | ||
---|---|---|
| ||
|