Step 4: Create a database user and database groups

Optionally, you can create a database user that you use to log in to the cluster database. If you create temporary user credentials for an existing user, you can disable the user's password to force the user to log on with the temporary password. Alternatively, you can use the GetClusterCredentials Autocreate option to automatically create a new database user.

You can create database user groups with the permissions you want the IAM database user to join at login. When you call the GetClusterCredentials operation, you can specify a list of user group names that the new user joins at login. These group memberships are valid only for sessions created using credentials generated with the given request.

To create a database user and database groups

Log in to your Amazon Redshift database and create a database user using CREATE USER or alter an existing user using ALTER USER.
Optionally, specify the PASSWORD DISABLE option to prevent the user from using a password. When a user's password is disabled, the user can log on only using temporary IAM user credentials. If the password is not disabled, the user can log on either with the password or using temporary IAM user credentials. You can't disable the password for a superuser.

The following example creates a user with password disabled.
```
create user temp_creds_user password disable; 
```
The following example disables the password for an existing user.
```
alter user temp_creds_user password disable;
```
Create database user groups using CREATE GROUP.
Use the GRANT command to define access privileges for the groups.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Create an IAM role or user role or user with permissions to call GetClusterCredentials

Configure a JDBC or ODBC connection to use IAM credentials