Amazon Redshift
Management Guide (API Version 2012-12-01)

Creating Temporary IAM User Credentials

In this section, you can find the steps to configure your system to generate temporary IAM-based database user credentials and log on to your database using the new credentials.

At a high level, the process flows as follows:

  1. Step 1: Create an IAM Role for IAM Single Sign-On (SSO) Access

    (Optional) You can authenticate users for access to an Amazon Redshift database by integrating IAM authentication and a third-party identity provider (IdP), such as PingFederate, Okta, or ADFS.

  2. Step 2: Configure SAML Assertions for Your IdP

    (Optional) To use IAM authentication using an IdP, you need to define a claim rule in your IdP application that maps users or groups in your organization to the IAM role. Optionally, you can include attribute elements to set GetClusterCredentials parameters.

  3. Step 3: Create an IAM Role or User With Permissions to Call GetClusterCredentials

    Your SQL client application assumes the IAM role when it calls the GetClusterCredentials action. If you created an IAM role for identity provider access, you can add the necessary permission to that role.

  4. Step 4: Create a Database User and Database Groups

    (Optional) By default, GetClusterCredentials returns credentials for existing users. You can choose to have GetClusterCredentials create a new user if the user name doesn't exist. You can also choose to specify user groups that users join at logon. By default, database users join the PUBLIC group.

  5. Step 5: Configure a JDBC or ODBC Connection to Use IAM Credentials

    To connect to your Amazon Redshift database, you configure your SQL client to use an Amazon Redshift JDBC or ODBC driver.