Configuring IAM Authentication
If you are connecting to a Redshift server using IAM authentication, set the following properties as part of your data source connection string.
For more information on IAM Authentication, see http://docs.aws.amazon.com/redshift/latest/mgmt/redshift-iam-authentication-access-control.html.
To use IAM Authentication, use one of the following connection string formats:
| Connection String | Description |
|---|---|
jdbc:redshift:iam://[host]:[port]/[db]
|
A regular connection string. The connector infers the ClusterID and Region from the host. |
jdbc:redshift:iam://[cluster-id]:[region]/[db]
|
The connector retrieves host information, given the ClusterID and Region. |
jdbc:redshift:iam://[host]/[db]
|
The connector defaults to port 5439, and infers ClusterID and Region from the host. |
Profiles
If you are using IAM authentication, you have the option to specify any additional required or optional connection properties under a profile name. This enables you to avoid putting certain information directly in the connection string. You specify the profile name in your connection string using the Profile property.
Profiles can be added to the AWS Credentials file. The default location for this file is:
~/.aws/credentials
You can change the default value by setting the path in the following environment variable: AWS_CREDENTIAL_PROFILES_FILE
For more information about profiles see: http://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html
Instance Profile Credentials
If you are running an application on an EC2 instance that is associated with an IAM role, you can connect using the instance profile credentials.
To do this, use one of the IAM connection string formats in the preceding table, and set the dbuser connection property to the Redshift user name that you are connecting as.
For more information about instance profiles see: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html.
Credential Providers
The connector also supports credential provider plugins from the following services:
- AD FS
- Azure AD
- Okta
- PingFederate
If you use one of these services, the connection URL needs to specify the following properties:
- Plugin_Name: The fully-qualified class path for your credentials provider plugin class.
- IdP_Host: The host for the service you are using to authenticate into Redshift.
- IdP_Port: The port that the host for the authentication service listens at. Not required for Okta.
- User: The user name for the idp_host server.
- Password: The password associated with the idp_host user name.
- DbUser: The Redshift user name you are connecting as.
- SSL_Insecure: Indicates whether the IDP server certificate should be verified.
- Client_ID: The client ID associated with the user name in the Azure AD portal. Only used for Azure AD.
- Client_Secret: The client secret associated with the client ID in the Azure AD portal. Only used for Azure AD.
- IdP_Tenant: The Azure AD tenant ID for your Redshift application. Only used for Azure AD.
- App_ID: The Okta app ID for your Redshift application. Only used for Okta.
- App_Name: The optional Okta app name for your Redshift application. Only used for Okta.
- Partner_SPID: The optional partner SPID (service provider ID) value. Only used for PingFederate.
If you are using a browser plugin for one of these services, the connection URL can also include:
- Login_URL: The URL for the resource on the identity provider's website when using the SAML or Azure AD services through a browser plugin. Required if you are using a browser plugin.
- Listen_Port: The port that the connector uses to get the SAML response from the identity provider when using the SAML or Azure AD services through a browser plugin.
- IdP_Response_Timeout: The amount of time, in seconds, that the connector waits for the SAML response from the identity provider when using the SAML or Azure AD services through a browser plugin.
For information on additional connection string properties, see Connector Configuration Options.