Creating temporary IAM credentials

In this section, you can find how to configure your system to generate temporary IAM-based database user credentials and log in to your database using the new credentials.

At a high level, the process flows as follows:

Step 1: Create an IAM role for IAM single sign-on access

(Optional) You can authenticate users for access to an Amazon Redshift database by integrating IAM authentication and a third-party identity provider (IdP).
Step 2: Configure SAML assertions for your IdP

(Optional) To use IAM authentication using an IdP, you need to define a claim rule in your IdP application that maps users or groups in your organization to the IAM role. Optionally, you can include attribute elements to set GetClusterCredentials parameters.
Step 3: Create an IAM role with permissions to call GetClusterCredentials

Your SQL client application assumes the user when it calls the GetClusterCredentials operation. If you created an IAM role for identity provider access, you can add the necessary permission to that role.
Step 4: Create a database user and database groups

(Optional) By default, GetClusterCredentials returns credentials create a new user if the user name doesn't exist. You can also choose to specify user groups that users join at logon. By default, database users join the PUBLIC group.
Step 5: Configure a JDBC or ODBC connection to use IAM credentials

To connect to your Amazon Redshift database, you configure your SQL client to use an Amazon Redshift JDBC or ODBC driver.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Overview

Create an IAM role for IAM single sign-on access