Federate to Amazon Redshift Question Editor v2 with Microsoft Entra ID

Amazon Redshift is a quick, petabyte-scale, cloud knowledge warehouse that tens of hundreds of shoppers depend on to energy their analytics workloads. With its massively parallel processing (MPP) structure and columnar knowledge storage, Amazon Redshift delivers excessive price-performance for advanced analytical queries towards massive datasets.

To work together with and analyze knowledge saved in Amazon Redshift, AWS gives the Amazon Redshift Question Editor V2, a web-based device that permits you to discover, analyze, and share knowledge utilizing SQL. The Question Editor V2 affords a user-friendly interface for connecting to your Redshift clusters, executing queries, and visualizing outcomes.

As organizations more and more undertake cloud-based options and centralized identification administration, the necessity for seamless and safe entry to knowledge warehouses like Amazon Redshift turns into essential. Many purchasers have already carried out identification suppliers (IdPs) like Microsoft Entra ID (previously Azure Energetic Listing) for single sign-on (SSO) entry throughout their functions and companies. For extra details about utilizing Microsoft Entra ID for federation to Amazon Redshift with SQL purchasers, see Federate Amazon Redshift entry with Microsoft Azure AD single sign-on. This publish focuses on establishing federation for accessing the Redshift Question Editor.

By means of this federated setup, customers can hook up with the Redshift Question Editor utilizing their current Microsoft Entra ID credentials, permitting you to regulate permissions for database objects based mostly on enterprise teams outlined in your Energetic Listing. This strategy gives a seamless person expertise whereas centralizing the governance of authentication and permissions for end-users, eliminating the necessity to handle separate credentials for knowledge warehousing. Moreover, you’ll be able to limit entry to particular datasets based mostly on the person’s enterprise group, so customers solely have entry to the information they’re licensed to view and handle.

Within the following sections, we discover the method of federating into AWS utilizing Microsoft Entra ID and AWS Identification and Entry Administration (IAM), and learn how to limit entry to datasets based mostly on permissions linked to AD teams. Though the mixing with AWS IAM Identification Heart is the beneficial strategy, this publish focuses on setups the place IAM Identification Heart may not be relevant as a consequence of compliance constraints, comparable to organizations requiring FedRAMP Reasonable compliance, which IAM Identification Heart doesn’t but meet. We cowl the stipulations, information you thru the setup course of, and show learn how to seamlessly hook up with the Redshift Question Editor whereas ensuring knowledge entry permissions are precisely enforced based mostly in your Microsoft Entra ID teams.

Answer overview

The next diagram illustrates the authentication move of Microsoft Entra ID with a Redshift cluster utilizing federated IAM roles.

The configuration of federation between Microsoft Entra ID and IAM to allow seamless entry to Amazon Redshift by a SQL consumer such because the Redshift Question Editor V2 includes the next principal parts:

1. Customers begin by authenticating with their Microsoft Entra ID credentials by accessing the enterprise software’s person entry URL.
2. Upon profitable authentication, the {custom} claims supplier triggers the {custom} authentication extension’s token issuance begin occasion listener.
3. The {custom} authentication extension calls an Azure operate (your REST API endpoint) with details about the occasion, person profile, session knowledge, and different context.
4. The Azure operate makes a name to the Microsoft Graph API to retrieve the authenticated person’s group membership data.
5. The Microsoft Graph API responds with the person’s group membership particulars.
6. The Azure operate takes the group data and transforms it right into a colon-separated listing, comparable to group1:group2:group3, and passes this colon-separated group data again to the {custom} authentication extension as a response payload.
7. The {custom} authentication extension processes the response and augments the token with the person’s group data as SAML claims (principal tags). The token, now enriched with the group membership, is returned to the enterprise software.
8. The enterprise software in Azure AD generates a SAML assertion with principal tags. It sends an HTTP POST to the person’s browser containing an HTML kind. This manner contains the SAML assertion and specifies the AWS sign-in SAML endpoint (https://signin.aws.amazon.com/saml) because the vacation spot the place the SAML assertion must be submitted.
9. The browser routinely submits this SAML assertion, sending an HTTP POST to the AWS SAML endpoint. This endpoint validates and processes the SAML assertion. If a number of IAM roles can be found, the person selects one. The AWS SAML endpoint then makes use of AWS Safety Token Service (AWS STS) to generate momentary credentials for that particular function, creates a console sign-in URL, and redirects the person to the AWS Administration Console. From there, the person can entry the Redshift Question Editor V2. To study extra about this course of, discuss with Enabling SAML 2.0 federated customers to entry the AWS Administration Console.
10. Inside Redshift Question Editor V2, the person selects the choice to authenticate utilizing their IAM identification. This triggers the Redshift Question Editor V2 to name the GetClusterCredentialsWithIAM API, which checks the principal tags to find out the person’s database roles. If that is the person’s first login, the API routinely creates a database person and assigns the mandatory database roles.
11. The GetClusterCredentialsWithIAM API points a brief person title and password to the person. Utilizing these credentials, the person logs in to the Redshift database. This login authorizes the person based mostly on the Redshift database roles assigned earlier and permits them to run queries on the datasets.

Conditions

On the Microsoft Entra ID facet, you want the next stipulations to arrange this answer:

• A Microsoft Entra ID tenant – Required to arrange and configure the Microsoft Entra ID service for managing and securing entry to AWS sources by federation.
• An Azure Subscription – Wanted to entry and use Azure companies like Azure Capabilities.

Customers must be members of particular Azure AD teams based mostly on their entry wants:

• Consumer A – Member of the "redshift_sales" group for entry to gross sales datasets in Amazon Redshift, and the "AWS-<acctno>_dev-bdt-team" group for entry to AWS companies within the growth surroundings. <acctno> is the AWS account the place you’ve gotten your Redshift cluster.
• Consumer B – Member of the "redshift_product" group for entry to product datasets in Amazon Redshift, and the "AWS-<acctno>_dev-bdt-team" group for entry to AWS companies.
• Consumer C – Member of each "redshift_sales" and "redshift_product" teams for entry to each datasets, and the "AWS-<acctno>_dev-bdt-team" group for entry to AWS companies.

The "AWS-<acctno>_dev-bdt-team" group in Azure AD is configured to permit customers to imagine an IAM function in AWS, offering the mandatory permissions to entry the AWS account. For a multi-account setup, create a number of teams for various environments or accounts and add customers based mostly on their entry wants. For instance, "AWS-<acctno>_prd-bdt-team" might be used for entry to the manufacturing surroundings, the place <acctno> displays the account quantity for the manufacturing account.

On the Amazon Redshift facet, you want the next sources:

• Redshift cluster – A Redshift cluster must be accessible within the AWS account specified by <acctno> within the AWS-<acctno>_dev-bdt-team group. If not, observe the directions to create a pattern Redshift cluster.
• Redshift database roles – Create database roles in Amazon Redshift that correspond to Microsoft Entra ID teams:
  • redshift_sales – For customers with entry to gross sales datasets.
  • redshift_product – For customers with entry to product datasets.
• Redshift schemas – You want a Redshift schema named gross sales with the desk sales_table, which may be accessed by customers of the group redshift_sales. You additionally want a Redshift schema named product with the desk product_table, which may be accessed by customers of the group redshift_product within the dev database. You should utilize the next SQL statements in your Redshift cluster to create the teams and tables, inserting knowledge into the created tables and granting entry to the suitable teams:

-- Create Redshift Roles
CREATE ROLE redshift_sales;
CREATE ROLE redshift_product;
-- Create gross sales schema and sales_table
CREATE SCHEMA gross sales;
CREATE TABLE gross sales.sales_table (
    id INT PRIMARY KEY,
    merchandise VARCHAR(255),
    amount INT,
    worth DECIMAL(10,2)
);

-- Create product schema and product_table
CREATE SCHEMA product;
CREATE TABLE product.product_table (
    id INT PRIMARY KEY,
    title VARCHAR(255),
    class VARCHAR(255),
    worth DECIMAL(10,2)
);
-- Insert knowledge into sales_table
INSERT INTO gross sales.sales_table (id, merchandise, amount, worth) VALUES
(1, 'Laptop computer', 10, 999.99),
(2, 'Smartphone', 20, 499.99),
(3, 'Headphones', 15, 199.99),
(4, 'Keyboard', 12, 89.99),
(5, 'Mouse', 30, 29.99);
-- Insert knowledge into product_table
INSERT INTO product.product_table (id, title, class, worth) VALUES
(1, 'Laptop computer', 'Electronics', 999.99),
(2, 'Smartphone', 'Electronics', 499.99),
(3, 'Blender', 'House Home equipment', 199.99),
(4, 'Mixer', 'House Home equipment', 89.99),
(5, 'Desk Lamp', 'Furnishings', 29.99);
-- Grant utilization on schema and choose on all tables within the schema to redshift_sales
GRANT USAGE ON SCHEMA gross sales TO ROLE redshift_sales;
GRANT SELECT ON ALL TABLES IN SCHEMA gross sales TO ROLE redshift_sales;
-- Grant utilization on schema and choose on all tables within the schema to redshift_product
GRANT USAGE ON SCHEMA product TO ROLE redshift_product;
GRANT SELECT ON ALL TABLES IN SCHEMA product TO ROLE redshift_product;

Setup Azure Capabilities and {custom} authentication extensions

Full the steps on this part to arrange Azure Perform and {custom} authentication extensions.

Create a brand new operate app

Full the next steps to create a brand new operate app:

• Open your net browser and navigate to the Azure Portal (portal.azure.com).
• Log in together with your Azure account credentials.
• Select Create a useful resource.
• Select Create below Perform App.

• Choose the Consumption internet hosting plan after which select Choose.

• On the Fundamentals tab, for Subscription, present the subscription you wish to use. For this instance, we use our default subscription, Azure subscription 1.
• Select or create a brand new useful resource group to prepare your Azure sources. We title our useful resource group rg-redshift-federated-sso.

• Beneath Occasion Particulars, enter a globally distinctive title. For this publish, we use the title fn-entra-id-transformer.
• For Runtime stack, select as Python.
• For Model, select 3.11.
• For Area, select East Us.
• For Working System, choose Linux.
• Select Evaluate + create to evaluation the app configuration.

• Select Create to create the Azure Capabilities app.

• Select Go to useful resource within the notification message or deployment output window to navigate on to your newly created app.

Create a operate

Subsequent, we create a HTTP set off operate within the newly created operate app, referred to as fn-entra-id-transformer.

1. Within the operate app, select Overview, then select Create operate within the Capabilities part.
   
2. Within the Create operate pane, present the next data:
   1. For Choose a template, select v2 Programming Mannequin.
   2. For Programming Mannequin, select the HTTP set off template.
   3. select Subsequent.
      
3. Within the Template particulars part, present the next data:
   1. For Job sort, select Create new app.
   2. For Present a operate title, enter CustomAuthenticationFunction.
   3. Depart the Authorization stage unchanged, which is about to Perform by default.
   4. Select Create.
      
4. After the operate is created, select Get operate URL and duplicate the worth for default (Perform key).
   
5. Retailer the copied URL securely; you’ll want to make use of this URL later when establishing a {custom} authentication extension later within the part.

We’ll come again to this operate later to replace the code to retrieve group data.

Create a {custom} authentication extension

Subsequent, we create a {custom} authentication extension. Full the next steps:

1. Navigate to Microsoft Entra ID, Enterprise functions, Customized authentication extensions.
2. Select Create a {custom} extension.
   
3. Within the Fundamentals part, present the next data:
   1. Depart Occasion sort as TokenIssuanceStart (which is the default choice).
   2. Choose it and select Subsequent.
4. Within the Endpoint Configuration part, present the next data:
   1. For Identify, enter Retrieve_user_group_information.
   2. For Goal URL, enter the operate URL you saved earlier.
   3. Depart Timeout in milliseconds and Most Retries because the default values.
   4. Select Subsequent.
      
5. Within the Api Authentication part, present the next data:
   1. Choose Create new app registration for App registration sort.
   2. For Identify, enter Retrieve_user_group_information.
   3. Select Subsequent.
      
6. Within the Claims part, present the next data:
   1. For Declare title, enter dbGroupsqueryeditor and dbGroupssqltools.
   2. Select Subsequent.
      
      
7. Within the Evaluate part, evaluation the configuration particulars, and if the whole lot appears appropriate, select Create.After the creation is accomplished, you can be redirected to the overview web page of the newly created {custom} authentication extension.On the overview web page, within the API Authentication part, you will notice a message indicating that admin consent is required.
8. Select Grant admin consent to grant the required permissions.

After the admin consent is granted efficiently, the API Authentication part will present the standing as Configured.

Now you’ll be able to proceed to create the enterprise software.

Arrange the Azure enterprise software

Full the steps on this part to configure the Azure enterprise software.

Create a brand new Azure enterprise software

Full the next steps to create an Azure Enterprise software:

1. Navigate to Microsoft Entra ID, Enterprise functions, New software.
   
   
2. Beneath Cloud platforms, select Amazon Net Providers (AWS).
   
3. For Identify, enter AWS Single-Account Entry.
4. Select Create.
   

When the create course of is full, you can be redirected to the newly created enterprise software.

Configure SSO

Full the next steps to configure SSO to your software:

1. On the enterprise software web page, select Get began below Arrange single signal on.
   
2. Select SAML.
   
   
3. Within the Fundamental SAML Configuration part, select Edit.
   1. For Identifier (Entity ID) and Reply URL, enter https://signin.aws.amazon.com/saml.
   2. Select Save.
      
4. Within the Attributes & Claims part, select Edit.
   1. Within the Superior settings part, select Configure subsequent to the {custom} claims supplier setting.
   2. For Customized claims supplier, select Retrieve_user_group_information.
   3. Select Save.
      
      

Configure a bunch declare

We use the group declare to remodel the Azure AD group assignments into corresponding IAM roles. By making use of an everyday expression sample, the group names are mapped to applicable Amazon Useful resource Names (ARNs) for IAM roles and SAML suppliers. Full the next steps to configure the group declare:

1. On the Attributes & Claims web page, delete declare title https://aws.amazon.com/SAML/Attributes/Position.
2. Select Add a bunch declare.
   
3. Choose Teams assigned to the applying for the related teams.
4. For Supply attribute, select Cloud-only group show names.
5. Beneath Superior choices, choose Filter teams and supply the next data:
   1. For Attribute to match, select Show title.
   2. For Match with, select Prefix.
   3. For String, enter AWS-.
6. Choose Customise the title of group declare and supply the next data:
   1. For Identify, select Position.
   2. For Namespace, enter https://aws.amazon.com/SAML/Attributes.
   3. Choose Apply regex exchange to teams declare content material.
   4. For Regex sample, enter AWS-(?'accountid'[d]{12})_(?'env'[a-z]+)-(?'app'[a-z]+)-(?'function'[a-z]+).
   5. For Regex alternative sample, enter arn:aws:iam::{accountid}:saml-provider/AzureADDemo,arn:aws:iam::{accountid}:function/{env}-{app}-{function}
7. Select Save.

Add new claims

Full the next steps so as to add new claims:

1. On the Attributes & Claims web page, select Add new declare.
   
2. Add claims with the next values:
   1. Select Add a brand new declare, title the brand new declare https://aws.amazon.com/SAML/Attributes/PrincipalTag:RedshiftDbRoles, choose Attribute for Supply, enter customclaimsprovider.dbGroupsqueryeditor for Supply attribute, and select Save.
      
      
   2. Select Add a brand new declare, title the brand new declare https://aws.amazon.com/SAML/Attributes/PrincipalTag:RedshiftDbUser, choose Attribute for Supply, enter person.userprincipalname for Supply attribute, and select Save.
   3. Select Add a brand new declare, title the brand new declare https://redshift.amazon.com/SAML/Attributes/AutoCreate, choose Attribute for Supply, enter true for Supply attribute, and select Save.
      

The values of PrincipalTag:RedshiftDbUser and PrincipalTag:RedshiftDbGroups should be lowercase; start with a letter; include solely alphanumeric characters, underscore (_), plus signal (+), dot (.), at (@), or hyphen (-); and be lower than 128 characters.

Whenever you full including all of the claims, your Attributes & Claims web page ought to seem like the next screenshot.

Save the federation metadata XML file

You employ the federation metadata file to configure the IAM IdP in a later step. Full the next steps to obtain the file:

1. Navigate again to your SAML-based sign-in web page.
2. Within the Single sign-on part, below SAML Certificates, select Obtain for Federation Metadata XML.
   
3. Save this file domestically.

The title of the file is usually the identical as the applying title; for instance, AWS Single-Account Entry.xml.

Create a brand new consumer secret

Full the next steps to create a brand new consumer secret:

1. Return to the Azure listing overview and navigate to App registrations.
2. Select the applying AWS Single-Account Entry.
3. For those who don’t see your software within the listing, select the All functions tab and register it if it’s not registered.
4. Report the values for Software (consumer) ID and Listing (tenant) ID.
5. Beneath Certificates & secrets and techniques, select New consumer secret.
6. Within the Add a consumer secret pane, present the next data:
   1. For Description, enter AWSRedshiftFederationsecret.
   2. For Expires, select choose the Microsoft’s beneficial worth of 180 days.
   3. Select Add.
7. Copy the key worth and retailer it securely.

The key expires after 180 days. Be sure there’s a course of in place to replace with a brand new secret earlier than the present secret expires in your surroundings.

Add permissions

Full the next steps so as to add permissions:

1. Navigate to API permissions for software AWS Single-Account Entry.
2. Select Add a permission and supply the next data:
   1. For Choose an API, select Microsoft Graph.
      
   2. Choose Delegated permissions for the kind of permission your software requires.
   3. In Choose permissions, select Consumer after which Consumer.Learn.
      
      
   4. Select Software permissions for the kind of permission your software requires.
   5. In Choose permissions, select Listing after which Listing.Learn.All.
      
      
3. Select Add permissions.
   This permits the Redshift enterprise software to grant admin consent to learn the person profile and group knowledge related to the person and carry out the login utilizing SSO.
4. Beneath Configured permissions, select Grant admin consent for added permissions.
5. Within the affirmation pane, select Sure to grant consent for the requested permissions for all accounts to the enterprise software.
   
6. Navigate to your enterprise functions and choose AWS Single-Account Entry and select Customers and teams.
7. Select Add person/group.
8. Beneath Customers and teams choose the teams redshift_product, redshift_sales, and AWS-<acctno>_dev-bdt-team, that are created as a part of the stipulations, and select Choose.
   
9. On the Add Assignment web page, select Assign.

Replace Azure Perform code

Full the next steps to replace the Azure Perform code:

1. Return to House and navigate to fn-entra-id-transformer below Perform App.
2. Select CustomAuthenticationFunction below Capabilities.
   
3. On the Code + Check web page, exchange the pattern code with the next code, which retrieves the person’s group membership, and select Save.

On this code, exchange the values of clientId, clientSecret, and tenantId with the values recorded beforehand. Additionally, in enterprise environments, use secret administration service to retailer these secrets and techniques and use necessities file to put in required packages comparable to requests.

import azure.capabilities as func
import logging
import json
import sys
import subprocess

def set up(package deal):
    allowed_pattern = r'^[a-zA-Z0-9-_.]+$'
    if not re.match(allowed_pattern, package deal):
        elevate ValueError("Invalid package deal title")

    subprocess.check_call([sys.executable, "-m", "pip", "install", package], shell=False)

# Make sure the requests package deal is put in
strive:
    import requests
besides ImportError:
    set up("requests")
    import requests

app = func.FunctionApp(http_auth_level=func.AuthLevel.FUNCTION)

@app.route(route="custom-extension")
def custom_extension(req: func.HttpRequest) -> func.HttpResponse:
    logging.information("Azure AD Customized Extension operate triggered")

    strive:
        request_body = req.get_body().decode('utf-8')
        knowledge = json.masses(request_body)
        user_id = knowledge['data']['authenticationContext']['user']['id']

        # Fetch entry token for Microsoft Graph API
        access_token = get_access_token()
        if not access_token:
            error_response = {"error": "Didn't get hold of entry token for Graph API"}
            return func.HttpResponse(physique=json.dumps(error_response), status_code=200, headers={"Content material-Kind": "software/json"})

        # Fetch person teams
        user_groups = fetch_user_groups(user_id, access_token)
        if user_groups is None:
            error_response = {"error": "Didn't fetch person teams"}
            return func.HttpResponse(physique=json.dumps(error_response), status_code=200, headers={"Content material-Kind": "software/json"})

        # Format teams as : seperated values as wanted by redshift question editor
        groups_colon_separated = ":".be a part of(user_groups)

        # Assemble response as per the required JSON construction
        response_content = {
            "knowledge": {
                "@odata.sort": "microsoft.graph.onTokenIssuanceStartResponseData",
                "actions": [
                    {
                        "@odata.type": "microsoft.graph.tokenIssuanceStart.provideClaimsForToken",
                        "claims": {
                            "dbGroupsqueryeditor": groups_colon_separated,
                            "dbGroupssqltools": user_groups
                        }
                    }
                ]
            }
        }

        return func.HttpResponse(physique=json.dumps(response_content), status_code=200, headers={"Content material-Kind": "software/json"})

    besides Exception as e:
        logging.error(f"Error in operate execution: {str(e)}")
        error_response = {"error": str(e)}
        return func.HttpResponse(physique=json.dumps(error_response), status_code=200, headers={"Content material-Kind": "software/json"})

def get_access_token():
    # Hardcoded credentials for demonstration; exchange with safe storage earlier than manufacturing
    client_id = 'client_id'
    client_secret="client_secret" 
    tenant_id = 'tenant_id'
    token_url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token"

    physique = {
        "client_id": client_id,
        "scope": "https://graph.microsoft.com/.default",
        "client_secret": client_secret,
        "grant_type": "client_credentials"
    }

    strive:
        response = requests.publish(token_url, knowledge=physique, timeout=10)
        response.raise_for_status()
        return response.json()['access_token']
    besides requests.RequestException as e:
        logging.error(f"Didn't retrieve entry token: {str(e)}")
        return None

def fetch_user_groups(user_id, access_token):
    graph_url = f"https://graph.microsoft.com/v1.0/customers/{user_id}/memberOf?$choose=displayName"

    headers = {
        "Authorization": f"Bearer {access_token}"
    }

    strive:
        response = requests.get(graph_url, headers=headers, timeout=10)
        response.raise_for_status()
        return [group['displayName'] for group in response.json().get('worth', []) if group["@odata.type"] == "#microsoft.graph.group"]
    besides requests.RequestException as e:
        logging.error(f"Didn't fetch person teams: {str(e)}")
        return None

Now you’ll be able to create an IAM IdP and function.

In IAM, an IdP represents a trusted exterior authentication service like Microsoft Entra ID that helps SAML 2.0, permitting AWS to acknowledge person identities authenticated by that service. It’s essential to call this IdP AzureADDemo to match the beforehand configured SAML claims for function creation.

Create your IAM SAML IdP

Full the next steps to create your IAM SAML IdP:

1. On the IAM console, select Identification suppliers within the navigation pane.
2. Select Add supplier.
   
3. For Supplier sort, choose SAML.
4. For Supplier title, enter a descriptive title, comparable to AzureADDemo.
5. Add the SAML metadata doc, which you downloaded as Federation Metadata.xml and saved as AWS Single-Account Entry.xml.
6. Select Add supplier.
   

Create an IAM function

Subsequent, you create an IAM function for SAML-based federation, which shall be used to grant entry to the Redshift Question Editor and Redshift cluster. Full the next steps:

1. On the IAM console, select Roles within the navigation pane.
2. Select Create function.
3. For Trusted identification sort, choose SAML 2.0 federation.
4. For SAML 2.0-based supplier, select AzureADDemo.
5. For Entry to be allowed, choose Permit programmatic and AWS Administration Console entry.
6. Select Subsequent.
   
7. Add the permissions AmazonRedshiftQueryEditorV2ReadSharing and ReadOnlyAccess, and select Subsequent.
8. For Position title, enter a descriptive title, comparable to dev-bdt-team.
9. Select Create function.
   

Replace belief coverage

1. On the IAM console, select Roles within the navigation pane, and seek for and select the function dev-bdt-team.
   
2. Within the Trusted entities part, select Edit belief coverage.
   
3. Add the motion sts:TagSession by eradicating the Motion line and including the next code:"Motion": [
"sts:AssumeRoleWithSAML",
"sts:TagSession"
],
4. Select Replace coverage.
   

Create an IAM coverage

Within the following steps, you create an IAM coverage to permit the dev-bdt-team function to acquire momentary credentials for connecting to Amazon Redshift utilizing IAM:

1. On the IAM console, select Insurance policies within the navigation pane.
2. Select Create coverage.
3. On the JSON tab, enter the next coverage doc, changing placeholders with applicable values:

   {
       "Model": "2012-10-17",
       "Assertion": [
                       {
                           "Sid": "VisualEditor0",
                           "Effect": "Allow",
                           "Action": "redshift:GetClusterCredentialsWithIAM",
                           "Resource": "arn:aws:redshift:<YOUR-REGION>:<AWS-ACCOUNT-NUMBER>:dbname::<YOUR-REDSHIFT-CLUSTER-NAME>/*"
                       }
                   ]
   }
   

4. Evaluate the coverage particulars and supply a descriptive title to your coverage, comparable to redshiftAccessPolicy.
5. Evaluate the coverage abstract and resolve any warnings or errors.
6. Select Create coverage to finalize the coverage creation course of.
7. On the Roles web page, seek for and open dev-bdt-team function.
8. On the Add permissions menu, select Connect insurance policies.
9. Connect redshiftAccessPolicy to the function.

Your permissions below the function dev-bdt-team ought to seem like the next screenshot.

Check the SSO setup

Now you can check the SSO setup. Full the next steps:

1. On the Azure Portal, to your AWS Single-Account Entry software, select Single sign-on.
2. Select Check this software.
3. Select Check in as present person.

If the setup is appropriate, you’re redirected to the AWS Administration Console (which is perhaps in a brand new tab for some browsers).

Check with Redshift Question Editor

Full the next steps:

After the connection is established, you need to have the ability to see your dev database and schemas below it, as proven within the following screenshot.

As a result of person A is barely a part of group redshift_sales, they’ll have the ability to see solely the gross sales schema.

• Run a SQL assertion to get knowledge from sales_table.

As a result of person A has entry to the desk, you’ll be able to see output like the next screenshot.

• Log in as person C to check entry for person C.

Consumer C is ready to see each the product and gross sales schemas as a result of they’re a part of each the redshift_product and redshift_sales teams.

• Run a SQL assertion to get knowledge from each sales_table and product_table.

Consumer C has entry to each tables, as you’ll be able to see within the following screenshot.

Clear up

To keep away from incurring future prices, delete the sources you created, together with the Redshift cluster, IAM function, IAM coverage, Microsoft Entra ID software, and Azure Capabilities app.

Conclusion

On this publish, we demonstrated learn how to use Microsoft Entra ID to federate into your AWS account and use the Redshift Question Editor V2 to hook up with a Redshift cluster and entry the schemas based mostly on the AD teams related to the person.

In regards to the writer

Koushik Konjeti is a Senior Options Architect at Amazon Net Providers. He has a ardour for aligning architectural steerage with buyer targets, making certain options are tailor-made to their distinctive necessities. Exterior of labor, he enjoys taking part in cricket and tennis.