Trusted identity propagation use cases

As an IAM Identity Center administrator, you might be asked to help configure trusted identity propagation between the following initiating applications that support this capability and connected AWS services. The following sections provide more information about the specific use cases supported by applications that can initiate trusted identity propagation.

Amazon EMR

You can use Amazon EMR as the initiating application for the following trusted identity propagation use cases.

Description	Other AWS services used	Learn more
Run interactive analyses with Apache Spark on Amazon EMR on Amazon EC2 clusters through Amazon EMR Studio. Apply access control based on workforce identities and associated attributes for AWS Glue Catalog through AWS Lake Formation.	Amazon EMR on Amazon EC2 authorized through AWS Lake Formation, Amazon S3 Access Grants, Amazon S3, AWS Service Catalog Note Requires access through Amazon EMR Studio. Table-level access control only. Apache Hive, PrestoSQL/Trino, and EMR Serverless are not supported.	Integrate Amazon EMR with IAM Identity Center in the Amazon EMR Management Guide. Amazon S3 Access Grants and corporate directory identities in the Amazon Simple Storage Service User Guide. Connecting AWS Lake Formation with IAM Identity Center in the AWS Lake Formation Developer Guide Use your corporate identities for analytics with Amazon EMR and IAM Identity Center in the AWS Big Data Blog
Run adhoc analyses with Trino on Athena through Amazon EMR Studio. Apply access control based on workforce identities and associated attributes for AWS Glue Catalog through AWS Lake Formation. Secure access to an Athena query result bucket location in Amazon S3 by using Amazon S3 Access Grants.	Athena authorized through AWS Lake Formation, Amazon S3 Access Grants Note Requires access through Amazon EMR Studio. Direct access from the Amazon Athena console is not supported.	Integrate Amazon EMR with IAM Identity Center in the Amazon EMR Management Guide. Using IAM Identity Center enabled Athena workgroups in the Amazon Athena User Guide. Amazon S3 Access Grants and corporate directory identities in the Amazon Simple Storage Service User Guide. Connecting AWS Lake Formation with IAM Identity Center in the AWS Lake Formation Developer Guide. Bring your workforce identity to Amazon EMR Studio and Athena in the AWS Big Data Blog.

Amazon QuickSight

You can use Amazon QuickSight as the initiating application for the following trusted identity propagation use cases.

Description	Other AWS services used	Learn more
Amazon QuickSight users can query Amazon Redshift data. Data access is granted in Amazon Redshift by an Amazon Redshift administrator.	Amazon Redshift	Connect Redshift with IAM Identity Center to give users a single sign-on experience in the Amazon Redshift Management Guide. Connect Amazon Redshift with IAM Identity Center through Amazon QuickSight in the Amazon Redshift Management Guide.
Amazon QuickSight users can query Amazon Redshift Spectrum for structured data in Amazon S3, with access that is authorized by an AWS Lake Formation administrator.	Amazon Redshift Spectrum, Amazon S3 structured data *Through Amazon Redshift Spectrum authorized through AWS Lake Formation	Connect Redshift with IAM Identity Center to give users a single sign-on experience in the Amazon Redshift Management Guide. Connect Amazon Redshift with IAM Identity Center through Amazon QuickSight in the Amazon Redshift Management Guide. Connecting AWS Lake Formation with IAM Identity Center in the AWS Lake Formation Developer Guide. Simplify access management with Amazon Redshift and AWS Lake Formation for users in an External Identity Provider in the AWS Big Data Blog.
Amazon QuickSight users can query Amazon Redshift datashares for structured data in Amazon S3, with access that is authorized by an AWS Lake Formation administrator.	Amazon Redshift datashares, Amazon S3 structured data *Through Amazon Redshift authorized through AWS Lake Formation	Connect Amazon Redshift with IAM Identity Center through Amazon QuickSight in the Amazon Redshift Management Guide. Connecting AWS Lake Formation with IAM Identity Center in the AWS Lake Formation Developer Guide. Simplify access management with Amazon Redshift and AWS Lake Formation for users in an External Identity Provider in the AWS Big Data Blog.

Amazon Redshift query editor v2

You can use Amazon Redshift query editor v2 as the initiating application for the following trusted identity propagation use cases.

Description	Other AWS services used	Learn more
Amazon Redshift query editor v2 users can query Amazon Redshift data. Data access is granted in Amazon Redshift by an Amazon Redshift administrator.	Amazon Redshift	Connect Redshift with IAM Identity Center to give users a single sign-on experience in the Amazon Redshift Management Guide. Connect to an Amazon Redshift database in the Amazon Redshift Management Guide. Integrate Okta with Amazon Redshift Query Editor V2 using AWS IAM Identity Center for seamless Single Sign-on in the AWS Big Data Blog.
Amazon Redshift query editor v2 users can query Amazon Redshift Spectrum external tables for structured data in Amazon S3, with access that is authorized by an AWS Lake Formation administrator.	Amazon Redshift Spectrum, Amazon S3 structured data *Through Amazon Redshift Spectrum authorized through AWS Lake Formation	Connect Redshift with IAM Identity Center to give users a single sign-on experience in the Amazon Redshift Management Guide. Connect to an Amazon Redshift database in the Amazon Redshift Management Guide. Connecting AWS Lake Formation with IAM Identity Center in the AWS Lake Formation Developer Guide.
Amazon Redshift query editor v2 users can query Amazon Redshift datashares with access that is authorized by an AWS Lake Formation administrator.	Amazon Redshift datashares, AWS Lake Formation	Connect to an Amazon Redshift database in the Amazon Redshift Management Guide. Connecting AWS Lake Formation with IAM Identity Center in the AWS Lake Formation Developer Guide.

Third-party business intelligence applications

You can use a third-party business intelligence application such as Tableau, as the initiating application for specific trusted identity propagation use cases. Modified third-party business intelligence applications can pass the Amazon Redshift driver the identity of a user through OAuth identity tokens or access tokens, to query Amazon Redshift for data, with access that is authorized by an Amazon Redshift administrator.

Tableau

You can use Tableau Desktop, Tableau Server, and Tableau Prep as the initiating applications for the following trusted identity propagation use cases.

Description	Other AWS services used	Learn more
Tableau users can query Amazon Redshift data. Data access is granted in Amazon Redshift by an Amazon Redshift administrator.	Amazon Redshift	Integrate Tableau and Okta with Amazon Redshift using IAM Identity Center in the AWS Big Data blog Enabling AWS IAM Identity Center in IAM Identity Center User Guide Connect IAM Identity Center with your preferred IdP and sync users and groups IAM Identity Center User Guide Connect Amazon Redshift with IAM Identity Center to give users a single sign-on experience in Amazon Redshift Management Guide Connect to an Amazon Redshift database in the Amazon Redshift Management Guide Using applications with a trusted token issuer in IAM Identity Center User Guide
Tableau users can query Amazon Redshift Spectrum external tables for structured data in Amazon S3, with access control based on workforce identities and associated attributes for AWS Glue Data Catalog through AWS Lake Formation.	Amazon Redshift Spectrum, Amazon S3 structured data *Through Amazon Redshift Spectrum authorized via AWS Lake Formation	Integrate Tableau and Okta with Amazon Redshift using IAM Identity Center in the AWS Big Data blog Enabling AWS IAM Identity Center in the IAM Identity Center User Guide Connect IAM Identity Center with your preferred IdP and sync users and groups in the IAM Identity Center User Guide Connect Redshift with IAM Identity Center to give users a single sign-on experience in the Amazon Redshift Management Guide Connect to an Amazon Redshift database in the Amazon Redshift Management Guide Connecting Lake Formation with IAM Identity Center in the AWS Lake Formation Developer Guide Using applications with a trusted token issuer in the IAM Identity Center User Guide
Tableau users can query Amazon Redshift datashares with access control based on workforce identities and associated attributes for AWS Glue Data Catalog through AWS Lake Formation.	Amazon Redshift datashares, AWS Lake Formation	Integrate Tableau and Okta with Amazon Redshift using IAM Identity Center in the AWS Big Data blog Enabling AWS IAM Identity Center in the IAM Identity Center User Guide Connect IAM Identity Center with your preferred IdP and sync users and groups in the IAM Identity Center User Guide Connect to an Amazon Redshift database in the Amazon Redshift Management Guide Connecting Lake Formation with IAM Identity Center in the AWS Lake Formation Developer Guide Simplify access management with Amazon Redshift and AWS Lake Formation for users in an External Identity Provider in the AWS Big Data Blog Using applications with a trusted token issuer in the IAM Identity Center User Guide

Custom-developed applications

You can use your own custom-developed applications as an initiating application for the following trusted identity propagation use cases.

Description	Other AWS services used	Learn more
Create an application that authenticates users through an OAuth authorization server, then use AWS IAM Identity Center and IAM to obtain an identity-enhanced IAM role credential. This credential is used to request access to unstructured data in Amazon S3, with access that is authorized by an Amazon S3 Access Grants administrator.	AWS IAM Identity Center, Amazon S3 unstructured data *Authorized through Amazon S3 Access Grants	Amazon S3 Access Grants and corporate directory identities in the Amazon Simple Storage Service User Guide. How to develop a user-facing data application with IAM Identity Center and Amazon S3 Access Grants (Part 1) and (Part 2) in the AWS Storage Blog.
Build a custom application that interacts with Amazon Q Business to respond to user questions based on your own content and the user's permissions.	IAM Identity Center, Amazon Q Business	How Amazon Q Business works: admin workflow in the Amazon Q Business User Guide. Build a custom UI for Amazon Q in the AWS Machine Learning Blog. Configure Amazon Q Business with AWS IAM Identity Center trusted identity propagation in the AWS Machine Learning Blog.