Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support IAM Identity Center Authentication - browser and token based #898

Open
Fleid opened this issue Aug 19, 2024 · 2 comments · May be fixed by #970
Open

Support IAM Identity Center Authentication - browser and token based #898

Fleid opened this issue Aug 19, 2024 · 2 comments · May be fixed by #970
Assignees

Comments

@Fleid
Copy link
Contributor

Fleid commented Aug 19, 2024

To support authentication to Redshift from 3rd party identity providers via IAM Identity Center, we need to add 2 authentication methods to dbt-redshift.

The first one is browser based, where we rely on the Redshift connector library to open up a browser session to get the proper creds: method: iam_idc_browser.

The second one is token based, where we expect the user to provide the required token, that we will relay to the Redshift connector library to establish the connection : method: iam_idc_token.

iam_idc_browser : Browser based authentication

See Authenticating with BrowserIdcAuthPlugin

Expected profile fields:

Option name Required? Description Example
credentials_provider Required BrowserIdcAuthPlugin
idc_region Required The AWS Region where the AWS IAM Identity Center instance is located. us-east-1
issuer_url Required The AWS IAM Identity Center server's instance endpoint. You can find this value using the AWS IAM Identity Center console. https://identitycenter.amazonaws.com/ssoins-g5j2k70sn4yc5nsc
listen_port Optional The port that the Amazon Redshift driver uses to receive the auth_code response from AWS IAM Identity Center through the browser redirect. 7890
idc_client_display_name Optional The name that the AWS IAM Identity Center client uses for the application in the AWS IAM Identity Center's single sign-on consent popup. Amazon Redshift driver
idp_response_timeout Optional The amount of time, in seconds, that the Redshift driver waits for the auth flow to complete. 60

Redshift connector call:

import redshift_connector

conn: redshift_connector.Connection = redshift_connector.connect(
    iam=True,
    database='dev',
    region='us-east-1',
    cluster_identifier='my-testing-cluster',
    ...
    
    credentials_provider='BrowserIdcAuthPlugin',
    idc_region='us-east-1',
    issuer_url='https://identitycenter.amazonaws.com/ssoins-g5j2k70sn4yc5nsc'
)

iam_idc_token : Token based authentication

See Authenticating with IdpTokenAuthPlugin

Expected profile fields:

Option name Required? Description
credentials_provider Required IdpTokenAuthPlugin
token Required An AWS IAM Identity Center vended access token or an OpenID Connect (OIDC) JSON Web Token (JWT) provided by a web identity provider that's connected with AWS IAM Identity Center. Your application must generate this token by authenticating your application user with AWS IAM Identity Center or an identity provider connected with AWS IAM Identity Center.
token_type Required The type of token used for IdpTokenAuthPlugin. Possible values are the following: ACCESS_TOKEN – Enter this if you use an AWS IAM Identity Center provided access token. EXT_JWT – Enter this if you use an OpenID Connect (OIDC) JSON Web Token (JWT) provided by a web-based identity provider that's connected with AWS IAM Identity Center.

Redshift connector call:

import redshift_connector

conn: redshift_connector.Connection = redshift_connector.connect(
    iam=True,
    database='dev',
    region='us-east-1',
    cluster_identifier='my-testing-cluster',
    ...
    
    credentials_provider='IdpTokenAuthPlugin',
    token_type='ACCESS_TOKEN',
    token='abcdefghijklmnopqrstuvwxyz'
)

Prerequisites

Setting up AWS IAM Identity Center integration with Amazon Redshift

@VersusFacit
Copy link
Contributor

We have shipped half of this -- browser based IDC authentication. Note the redshift team has yet to ship a caching mechanism so any user of this auth method can expect several authentications for a single dbt run of a single model, followed by 2 or 3 for every included model thereafter. We eagerly await Redshift shipping that caching function and our team will do what is needed (if anything) to integrate it.

@barathsku
Copy link

@VersusFacit is this caching mechanism meant to be a part of redshift_connector or something integrated within Redshift? Because this is also something blocking me from fully integrating dbt-redshift with my project, would like to see it happen soon on Redshift.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants