Options for Providing IAM Credentials
To provide IAM credentials for a JDBC or ODBC connection, choose one of the following authentication types.
-
AWS Profile
As an alternative to providing credentials values in the form of JDBC or ODBC settings, you can put the values in a named profile.
-
AWS IAM Credentials
Provide values for AccessKeyID, SecretAccessKey, and, optionally, SessionToken in the form of JDBC or ODBC settings. SessionToken is required only for an IAM role with temporary credentials. For more information, see Temporary Security Credentials.
-
Identity Provider
If you use an identity provider for authentication, specify the name of an identity provider plugin. The Amazon Redshift JDBC and ODBC drivers include plugins for the following SAML-based credential providers:
-
AD FS
-
PingFederate
-
Okta
You can provide the plugin name and related values in the form of JDBC or ODBC settings or by using a profile. For more information, see see JDBC Driver Configuration Options and ODBC Driver Configuration Options.
-
For more information, see Configure a JDBC or ODBC Connection to Use IAM Credentials.
JDBC and ODBC Options for Providing IAM Credentials
The following table lists the JDBC and ODBC options for providing IAM credentials.
Option |
Description |
---|---|
Iam |
For use only in an ODBC connection string. Set to 1 to use IAM authentication.. |
AccessKeyID SecretAccessKey SessionToken |
The access key ID and secret access key for the IAM role or IAM user configured for IAM database authentication. SessionToken is required only for an IAM role with temporary credentials. SessionToken is not used for an IAM user. For more information, see Temporary Security Credentials. |
Plugin_Name | The fully qualified class name that implements a credentials provider. The Amazon Redshift JDBC driver includes SAML-based credential provider plug-ins. If plugin_name is provided, other related parameters are available. For more information, see Using a Credentials Provider Plugin. |
Profile |
The name of a profile in an AWS credentials or config file that contains values for the JDBC connection options. For more information, see Using a Configuration Profile. |
Using a Credentials Provider Plugin
The following credential provider plugins are included with the Amazon Redshift JDBC driver.
-
Active directory federation service (AD FS)
-
Ping Federate (Ping)
Ping is supported only with the predetermined PingFederate IdP Adapter using Forms authentication.
-
Okta
Okta is supported only for the Okta-supplied AWS Console default application.
To use a SAML-based credential provider plugin, specify the following options using JBDC or ODBC options or in a named profile:
Option |
Description |
---|---|
plugin_name |
For JDBC, the class name that implements a credentials provider. Specify one of the following:
For ODBC, specify one of the following:
|
idp_host | The name of the corporate identity provider host. This name should not include any slashes (‘/’). For an Okta identity provider, the value for idp_host should end with .okta.com. |
idp_port |
The port used by identity provider. The default is 443. Port is ignored for Okta. |
preferred_role |
A role Amazon Resource Name (ARN) from the AttributeValue elements for the Role attribute in the SAML assertion. Work with your IdP administrator to find the appropriate value for the preferred role. For more information, see Configure SAML Assertions for Your IdPConfigure SAML Assertions for Your IdP. |
user |
A corporate user name, including the domain when applicable. For example, for Active Directory, the domain name is required in the format domain\username. |
password | The corporate user's password. We recommend not using this option. Instead, use your SQL client to supply the password. |
ssl_insecure | Set to true (JDBC) or 1 (ODBC) to use
insecure SSL with IdP (not recommended).
|
app_id |
An ID for a Okta application. Used only with Okta.
The value for app_id follows amazon_aws in
the Okta Application Embed Link. Work with your IdP administrator to
get this value. The following is an example of an application embed
link:
https://example.okta.com/home/amazon_aws/0oa2hylwrpM8UGehd1t7/272
|
The following example shows credentials provider plugin parameters in a named profile.
[plug-in-creds] plugin_name=com.amazon.redshift.plugin.AdfsCredentialsProvider idp_host=demo.example.com idp_port=443 preferred_role=arn:aws:iam::123456789012:role/ADFS-Dev user=example\user password=Password1234
Using a Configuration Profile
You can supply the IAM credentials options and GetClusterCredentials options as settings in named profiles in your AWS configuration file. Provide the profile name by using the Profile JDBC option.
The configuration is stored in a file named config
in a folder named
.aws
in your home directory. Home directory location varies but can
be referred to using the environment variables %UserProfile%
in Windows
and $HOME
or ~
(tilde) in Unix-like systems.
When using the Amazon Redshift JDBC driver or ODBC driver with a bundled SAML-based
credential provider plugin, the following settings are supported. If
plugin_name
is not used, the listed options are ignored.
-
plugin_name
-
idp_host
-
idp_port
-
preferred_role
-
user
-
password
-
ssl_insecure
-
app_id (for Okta only)
The following example shows a configuration file with three profiles. The
plug-in-creds
example includes the optional DbUser, AutoCreate, and
DbGroups options.
[default] aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY [user2] aws_access_key_id=AKIAI44QH8DHBEXAMPLE aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY session_token=AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQWLWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU 9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz +scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA== [plug-in-creds] plugin_name=com.amazon.redshift.plugin.AdfsCredentialsProvider idp_host=demo.example.com idp_port=443 preferred_role=arn:aws:iam::1234567:role/ADFS-Dev user=example\user password=Password1234
To use the credentials for the user2
example, specify
Profile=user2
in the JDBC URL. To use the credentials for the
plug-in creds
example, specify Profile=plug-in-creds
in the JDBC URL.
For more information, see Named Profiles in the AWS Command Line Interface User Guide.