Authentication methods - Amazon Redshift

Authentication methods

To protect data from unauthorized access, Amazon Redshift data stores require all connections to be authenticated using user credentials.

The following table illustrates the required and optional connection options for each authentication method that can be used to connect to the Amazon Redshift ODBC driver version 2.x:

Authentication Method Required Optional
Standard
  • Host

  • Port

  • Database

  • UID

  • Password

IAM Profile
  • Host

  • Port

  • Database

  • IAM

  • Profile

  • ClusterID

  • Region

  • AutoCreate

  • EndpointURL

  • StsEndpointURL

  • InstanceProfile

Note

ClusterID and Region must be set in Host if they are not set separately.

IAM Credentials
  • Host

  • Port

  • Database

  • IAM

  • AccessKeyID

  • SecretAccessKey

  • ClusterID

  • Region

  • AutoCreate

  • EndpointURL

  • StsEndpointURL

  • SessionToken

  • UID

Note

ClusterID and Region must be set in Host if they are not set separately.

AD FS
  • Host

  • Port

  • Database

  • IAM

  • plugin_name

  • UID

  • Password

  • IdP_Host

  • IdP_Port

  • ClusterID

  • Region

  • AutoCreate

  • EndpointUrl

  • StsEndpointUrl

  • Preferred_Role

  • loginToRp

  • SSL_Insecure

Note

ClusterID and Region must be set in Host if they are not set separately.

Azure AD
  • Host

  • Port

  • Database

  • IAM

  • plugin_name

  • UID

  • Password

  • IdP_Tenant

  • Client_ID

  • Client_Secret

  • ClusterID

  • Region

  • AutoCreate

  • EndpointUrl

  • StsEndpointUrl

  • Preferred_Role

  • dbgroups_filter

Note

ClusterID and Region must be set in Host if they are not set separately.

JWT
  • Host

  • Port

  • Database

  • IAM

  • plugin_name

  • web_identity_token

  • provider_name

Okta
  • Host

  • Port

  • Database

  • IAM

  • plugin_name

  • UID

  • Password

  • IdP_Host

  • App_Name

  • App_ID

  • ClusterID

  • Region

  • AutoCreate

  • EndpointUrl

  • StsEndpointUrl

  • Preferred_Role

Note

ClusterID and Region must be set in Host if they are not set separately.

Ping Federate

  • Host

  • Port

  • Database

  • IAM

  • plugin_name

  • UID

  • Password

  • IdP_Host

  • IdP_Port

  • ClusterID

  • Region

  • AutoCreate

  • EndpointUrl

  • StsEndpointUrl

  • Preferred_Role

  • SSL_Insecure

  • partner_spid

Note

ClusterID and Region must be set in Host if they are not set separately.

Browser Azure AD
  • Host

  • Port

  • Database

  • IAM

  • plugin_name

  • IdP_Tenant

  • Client_ID

  • UID

  • ClusterID

  • Region

  • AutoCreate

  • EndpointUrl

  • StsEndpointUrl

  • Preferred_Role

  • dbgroups_filter

  • IdP_Response_Timeout

  • listen_port

Note

ClusterID and Region must be set in Host if they are not set separately.

Browser SAML
  • Host

  • Port

  • Database

  • IAM

  • plugin_name

  • login_url

  • UID

  • ClusterID

  • Region

  • AutoCreate

  • EndpointUrl

  • StsEndpointUrl

  • Preferred_Role

  • dbgroups_filter

  • IdP_Response_Timeout

  • listen_port

Note

ClusterID and Region must be set in Host if they are not set separately.

Auth Profile
  • Host

  • Port

  • Database

  • AccessKeyID

  • SecretAccessKey

Browser Azure AD OAUTH2
  • Host

  • Port

  • Database

  • IAM

  • plugin_name

  • IdP_Tenant

  • Client_ID

  • UID

  • ClusterID

  • Region

  • EndpointUrl

  • IdP_Response_Timeout

  • listen_port

  • scope

  • provider_name

Note

ClusterID and Region must be set in Host if they are not set separately.

AWS IAM Identity Center
  • Host

  • Database

  • plugin_name

  • idc_region

  • issuer_url

  • idc_client_display_name

  • idp_response_timeout

  • listen_port

Using an external credentials service

In addition to built-in support for AD FS, Azure AD, and Okta, the Windows version of the Amazon Redshift ODBC driver also provides support for other credentials services. The driver can authenticate connections using any SAML-based credential provider plugin of your choice.

To configure an external credentials service on Windows:

  1. Create an IAM profile that specifies the credential provider plugin and other authentication parameters as needed. The profile must be ASCII-encoded, and must contain the following key-value pair, where PluginPath is the full path to the plugin application:

    plugin_name = PluginPath

    For example:

    plugin_name = C:\Users\kjson\myapp\CredServiceApp.exe

    For information on how to create a profile, see Using a Configuration Profile in the Amazon Redshift Cluster Management Guide.

  2. Configure the driver to use this profile. The driver detects and uses the authentication settings specified in the profile.