Sign In to the Console
Amazon Redshift
Cluster Management Guide

AWS Documentation » Amazon Redshift » Cluster Management Guide » Security in Amazon Redshift » Identity and Access Management in Amazon Redshift » Using IAM Authentication to Generate Database User Credentials » Options for Providing IAM Credentials
The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Options for Providing IAM Credentials

To provide IAM credentials for a JDBC or ODBC connection, choose one of the following authentication types.

  • AWS Profile

    As an alternative to providing credentials values in the form of JDBC or ODBC settings, you can put the values in a named profile.

  • AWS IAM Credentials

    Provide values for AccessKeyID, SecretAccessKey, and, optionally, SessionToken in the form of JDBC or ODBC settings. SessionToken is required only for an IAM role with temporary credentials. For more information, see Temporary Security Credentials.

  • Identity Provider

    If you use an identity provider for authentication, specify the name of an identity provider plugin. The Amazon Redshift JDBC and ODBC drivers include plugins for the following SAML-based credential providers:

    • AD FS

    • PingFederate

    • Okta

    You can provide the plugin name and related values in the form of JDBC or ODBC settings or by using a profile. For more information, see see JDBC Driver Configuration Options and ODBC Driver Configuration Options.

For more information, see Configure a JDBC or ODBC Connection to Use IAM Credentials.

JDBC and ODBC Options for Providing IAM Credentials

The following table lists the JDBC and ODBC options for providing IAM credentials.

Option

 Description

Iam

 For use only in an ODBC connection string. Set to 1 to use IAM authentication..

AccessKeyID

SecretAccessKey

SessionToken

 The access key ID and secret access key for the IAM role or IAM user configured for IAM database authentication. SessionToken is required only for an IAM role with temporary credentials. SessionToken is not used for an IAM user. For more information, see Temporary Security Credentials.
Plugin_Name The fully qualified class name that implements a credentials provider. The Amazon Redshift JDBC driver includes SAML-based credential provider plug-ins. If plugin_name is provided, other related parameters are available. For more information, see Using a Credentials Provider Plugin.

Profile

The name of a profile in an AWS credentials or config file that contains values for the JDBC connection options. For more information, see Using a Configuration Profile.

Using a Credentials Provider Plugin

The following credential provider plugins are included with the Amazon Redshift JDBC driver.

  • Active directory federation service (AD FS)

  • Ping Federate (Ping)

    Ping is supported only with the predetermined PingFederate IdP Adapter using Forms authentication.

  • Okta

    Okta is supported only for the Okta-supplied AWS Console default application.

To use a SAML-based credential provider plugin, specify the following options using JBDC or ODBC options or in a named profile:

Option

 Description
plugin_name

For JDBC, the class name that implements a credentials provider. Specify one of the following:

  • For ADFS

    com.amazon.redshift.plugin.AdfsCredentialsProvider

  • For Okta

    com.amazon.redshift.plugin.OktaCredentialsProvider

  • For PingFederate

    com.amazon.redshift.plugin.PingCredentialsProvider

For ODBC, specify one of the following:

  • For AD FS: adfs

  • For Okta: okta

  • For PingFederate: ping
idp_host The name of the corporate identity provider host. This name should not include any slashes (‘/’). For an Okta identity provider, the value for idp_host should end with .okta.com.

idp_port

The port used by identity provider. The default is 443. Port is ignored for Okta.

preferred_role

A role Amazon Resource Name (ARN) from the AttributeValue elements for the Role attribute in the SAML assertion. Work with your IdP administrator to find the appropriate value for the preferred role. For more information, see Configure SAML Assertions for Your IdPConfigure SAML Assertions for Your IdP.

user

A corporate user name, including the domain when applicable. For example, for Active Directory, the domain name is required in the format domain\username.
password The corporate user's password. We recommend not using this option. Instead, use your SQL client to supply the password.
ssl_insecure Set to true (JDBC) or 1 (ODBC) to use insecure SSL with IdP (not recommended).

app_id

An ID for a Okta application. Used only with Okta. The value for app_id follows amazon_aws in the Okta Application Embed Link. Work with your IdP administrator to get this value. The following is an example of an application embed link: https://example.okta.com/home/amazon_aws/0oa2hylwrpM8UGehd1t7/272

The following example shows credentials provider plugin parameters in a named profile. 

[plug-in-creds]
plugin_name=com.amazon.redshift.plugin.AdfsCredentialsProvider
idp_host=demo.example.com
idp_port=443  
preferred_role=arn:aws:iam::123456789012:role/ADFS-Dev
user=example\user
password=Password1234

Using a Configuration Profile

You can supply the IAM credentials options and GetClusterCredentials options as settings in named profiles in your AWS configuration file. Provide the profile name by using the Profile JDBC option.

The configuration is stored in a file named config in a folder named .aws in your home directory. Home directory location varies but can be referred to using the environment variables %UserProfile% in Windows and $HOME or ~ (tilde) in Unix-like systems.

When using the Amazon Redshift JDBC driver or ODBC driver with a bundled SAML-based credential provider plugin, the following settings are supported. If plugin_name is not used, the listed options are ignored.

  • plugin_name

  • idp_host

  • idp_port

  • preferred_role

  • user

  • password

  • ssl_insecure

  • app_id (for Okta only)

The following example shows a configuration file with three profiles. The plug-in-creds example includes the optional DbUser, AutoCreate, and DbGroups options. 

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[user2]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
session_token=AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQWLWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd
QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU
9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz
+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==

[plug-in-creds]
plugin_name=com.amazon.redshift.plugin.AdfsCredentialsProvider
idp_host=demo.example.com
idp_port=443
preferred_role=arn:aws:iam::1234567:role/ADFS-Dev
user=example\user
password=Password1234

To use the credentials for the user2 example, specify Profile=user2 in the JDBC URL. To use the credentials for the plug-in creds example, specify Profile=plug-in-creds in the JDBC URL.

For more information, see Named Profiles in the AWS Command Line Interface User Guide.