Securely Access, Visualize, and Analyze Amazon Redshift Data Using IAM Identity Center Integration

In today's data-driven world, securely accessing, visualizing, and analyzing data is essential for making informed business decisions.

In today’s data-driven world, securely accessing, visualizing, and analyzing data is essential for making informed business decisions. Tens of thousands of customers use Amazon Redshift for modern data analytics at scale, delivering up to three times better price-performance and seven times better throughput than other cloud data warehouses.

The Amazon Redshift Data API simplifies access to your Amazon Redshift data warehouse by removing the need to manage database drivers, connections, network configurations, data buffering, and more.

With the newly released feature of Amazon Redshift Data API support for single sign-on and trusted identity propagation, you can build data visualization applications that integrate single sign-on (SSO) and role-based access control (RBAC), simplifying user management while enforcing appropriate access to sensitive information.

For instance, a global sports gear company selling products across multiple regions needs to visualize its sales data, which includes country-level details. To maintain the right level of access, the company wants to restrict data visibility based on the user’s role and region. Regional sales managers should only see sales data for their specific region, such as North America or Europe. Conversely, the global sales executives require full access to the entire dataset, covering all countries.

In this post, we dive into the newly released feature of Amazon Redshift Data API support for SSO, Amazon Redshift RBAC for row-level security (RLS) and column-level security (CLS), and trusted identity propagation with AWS Identity and Access Management Identity Center to let corporate identities connect to AWS services more easily and securely. We demonstrate how to integrate these services to create a data visualization application using Streamlit, providing secure, role-based access that simplifies user management while making sure that your organization can make data-driven decisions with enhanced security and ease.

We use multiple AWS services and open source tools to build a simple data visualization application with SSO to access data in Amazon Redshift with RBAC. The key components that power the solution are as follows:

The following diagram illustrates the solution architecture for SSO with the Redshift Data API using Identity and Access Management Identity Center.

The user workflow for the data visualization application consists of the following steps:

The setup consists of two main steps:

You should have the following prerequisites:

In this section, we walk through the steps to provision the resources for Identity and Access Management Identity Center, Amazon Redshift, and Okta.

Complete the following steps to enable Identity and Access Management Identity Center and configure Okta as the IdP to manage user authentication and group provisioning:

The following screenshot shows the users synced in Identity and Access Management Identity Center using SCIM protocol.

Complete the following steps to create an Okta application to authenticate users accessing the Streamlit application:

Complete the following steps to create an Amazon Redshift Identity and Access Management Identity Center connection application to enable trusted identity propagation for secure authentication:

We will enable trusted identity propagation and third-party IdP (Okta) on the customer managed application for the Redshift Data API in a later step instead of configuring it in the Amazon Redshift connection application.

The following screenshot shows the Identity and Access Management Identity Center connection application created on the Amazon Redshift console.

The following screenshot shows groups assigned to the Amazon Redshift Identity and Access Management Identity Center connection for the managed application.

Provision a Redshift Serverless workgroup. For more details, refer to Creating a workgroup with a namespace.

Wait until the workgroup is available before continuing to the next steps.

Next, you use the Amazon Redshift Query Editor V2 on the Amazon Redshift console to connect to the workgroup you just created. You create the tables and configure the Amazon Redshift roles corresponding to Okta groups for the groups in Identity and Access Management Identity Center and use the RBAC policy to grant users privileges to view data only for their regions. Complete the following steps:

Identity and Access Management will map the groups into the Redshift roles in the format of Namespace:IDCGroupName. For example, create the role name as AWSIDC:emea-sales and so on to match them with Okta group names synced in Identity and Access Management Identity Center. The users will be created automatically within the groups as they log in using SSO into Amazon Redshift.

In this section, we walk through the steps to download, configure, and run the Streamlit application.

In order to start a trusted identity propagation workflow and allow Amazon Redshift to make authorization decisions based on the users and groups from Identity and Access Management (provisioned from the external IdP), you need an identity-enhanced IAM role session.

This requires a couple of IAM roles and a customer managed application in Identity and Access Management to handle the trust relationship between the external IdP and Identity and Access Management and control access for the Redshift Data API client, in this case, the Streamlit application.

First, you create two IAM roles, then you create a customer managed application for the Streamlit application. Complete the following