Hatena::ブログ(Diary)

ablog このページをアンテナに追加 RSSフィード Twitter

2017-09-04

Amazon Redshift announces Federated Authentication with Single Sign-On

Posted On: Aug 11, 2017

You can now use the new Amazon Redshift database authentication to simplify the credential management of database users. You can configure Amazon Redshift to automatically generate temporary database credentials based on permissions granted through an AWS IAM policy. You can leverage your corporate directory and third-party SAML-2.0 identity provider, such as ADFS, PingFederate and Okta, to enable your users to easily access their Amazon Redshift clusters using their corporate user names, without managing database users and passwords. Furthermore, database users are automatically created at their first login based on their corporate privileges. The new Amazon Redshift ODBC and JDBC drivers support Windows Integrated Authentication for a simplified client experience. This feature is supported starting with Amazon Redshift ODBC driver version 1.3.6.1000 and JDBC driver version 1.2.7.1003. For more information, see Using IAM Authentication to Generate Database User Credentials in the Amazon Redshift Database Developer Guide.

Amazon Redshift Federated Authentication with Single Sign-On is available in US East (N. Virginia), US East (Ohio), US West (N. California), US West (Oregon), EU (Frankfurt), EU (Ireland), EU (London), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), Asia Pacific (Seoul), Asia Pacific (Mumbai), Canada (Central), and South America (São Paulo) Regions.

Amazon Redshift announces Federated Authentication with Single Sign-On


JDBC/ODBC接続設定

JDBC接続文字列の例

Add JDBC options that the JDBC driver uses to call the GetClusterCredentials API action. Don't include these options if you call the GetClusterCredentials API action programmatically. For more details, see Configure a JDBC or ODBC Connection to Use IAM Credentials.

The following example includes the JDBC GetClusterCredentials options.

jdbc:redshift:iam://examplecluster:us-west-2/dev?Profile=user2&DbUser=newuser&AutoCreate=true&DbGroups=group1,group2
ステップ 5: IAM 認証情報を使用するように JDBC または ODBC 接続を設定する - Amazon Redshift

"Profile=user2" は名前付きプロファイルを指定している。

Using a Configuration Profile

You can supply the IAM credentials options and GetClusterCredentials options as settings in named profiles in your AWS configuration file. Provide the profile name by using the Profile JDBC option.

The configuration is stored in a file named config in a folder named .aws in your home directory. Home directory location varies but can be referred to using the environment variables %UserProfile% in Windows and $HOME or ~ (tilde) in Unix-like systems.

(中略)

The following example shows a configuration file with three profiles. The plug-in-creds example includes the optional DbUser, AutoCreate, and DbGroups options.

[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[user2]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
session_token=AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQWLWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd
QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU
9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz
+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==

[plug-in-creds]
plugin_name=com.amazon.redshift.plugin.AdfsCredentialsProvider
idp_host=demo.example.com
idp_port=443
preferred_role=arn:aws:iam::1234567:role/ADFS-Dev
user=example\user
password=Password1234 

To use the credentials for the user2 example, specify Profile=user2 in the JDBC URL. To use the credentials for the plug-in creds example, specify Profile=plug-in-creds in the JDBC URL.

For more information, see Named Profiles in the AWS Command Line Interface User Guide.

IAM 認証情報の提供オプション - Amazon Redshift

AWS CLI は config と認証情報ファイルに保存された 名前付きプロファイルをサポートしています。追加のプロファイルを設定するには、--profile オプションaws configure を使用するか、または、config と認証情報ファイルへエントリを追加します。

2 つのプロファイルのある認証情報ファイルの例を以下に示します。

  • ~/.aws/credentials
[default]
aws_access_key_id=AKIAIOSFODNN7EXAMPLE
aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

[user2]
aws_access_key_id=AKIAI44QH8DHBEXAMPLE
aws_secret_access_key=je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY
各プロファイルは異なる認証情報 (2 人の異なる IAM ユーザーのもの) を使用します。別のリージョンおよび出力形式を使用することもできます。
  • ~/.aws/config
[default]
region=us-west-2
output=json

[profile user2]
region=us-east-1
output=text
  • 重要
    • AWS 認証情報ファイルは、CLI ファイルの名前付きプロファイルとは別の命名形式を使用します。AWS 認証情報ファイルで名前付きプロファイルを設定するときは、「profile」プレフィックスは含めないでください。
名前付きプロファイル - AWS Command Line Interface

AD FS の場合

Identity Provider: AD FS

For Windows Integrated Authentication with AD FS, leave User and Password empty.Optionally, provide details for options that the ODBC driver uses to call the GetClusterCredentials API action.

  • DbUser
  • User AutoCreate
  • DbGroups

For more information, see JDBC and ODBC Options for Creating Database User Credentials.

Provide IdP details.

  • IdP Host
    • The name of the corporate identity provider host. This name should not include any slashes ( / ).
  • IdP Port (optional)
    • The port used by identity provider. The default is 443.
  • Preferred Role
    • A role Amazon Resource Name (ARN) from the AttributeValue elements for the Role attribute in the SAML assertion. Work with your IdP administrator to find the appropriate value for the preferred role. For more information, see Configure SAML Assertions for Your IdP.

f:id:yohei-a:20170904085944p:image

ステップ 5: IAM 認証情報を使用するように JDBC または ODBC 接続を設定する - Amazon Redshift

参考

スパム対策のためのダミーです。もし見えても何も入力しないでください
ゲスト


画像認証

トラックバック - http://d.hatena.ne.jp/yohei-a/20170904/1504481337
リンク元