0
# Authentication and Security
1
2
Comprehensive authentication system supporting multiple identity providers, IAM roles, and security protocols. The redshift_connector provides enterprise-grade authentication capabilities including SAML, OAuth2, JWT, and browser-based authentication flows to integrate with existing identity infrastructure.
3
4
## Capabilities
5
6
### IAM Authentication
7
8
Direct integration with AWS Identity and Access Management for secure, temporary credential-based authentication using AWS profiles, access keys, or instance roles.
9
10
```python { .api }
11
# IAM Authentication with AWS Profile
12
conn = redshift_connector.connect(
13
iam=True,
14
database='dev',
15
db_user='awsuser',
16
cluster_identifier='examplecluster',
17
profile='default' # Uses ~/.aws/credentials
18
)
19
20
# IAM Authentication with Direct Credentials
21
conn = redshift_connector.connect(
22
iam=True,
23
database='dev',
24
db_user='awsuser',
25
cluster_identifier='examplecluster',
26
access_key_id='AKIAIOSFODNN7EXAMPLE',
27
secret_access_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',
28
region='us-west-2'
29
)
30
31
# IAM Authentication with Session Token
32
conn = redshift_connector.connect(
33
iam=True,
34
database='dev',
35
db_user='awsuser',
36
cluster_identifier='examplecluster',
37
access_key_id='AKIAIOSFODNN7EXAMPLE',
38
secret_access_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',
39
session_token='AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE',
40
region='us-west-2'
41
)
42
```
43
44
### Serverless Authentication
45
46
Specialized authentication support for Amazon Redshift Serverless with workgroup-based access control.
47
48
```python { .api }
49
# Serverless IAM Authentication
50
conn = redshift_connector.connect(
51
iam=True,
52
is_serverless=True,
53
serverless_acct_id='123456789012',
54
serverless_work_group='my-workgroup',
55
database='dev',
56
db_user='awsuser',
57
region='us-west-2'
58
)
59
```
60
61
### Identity Provider Authentication Plugins
62
63
Extensible plugin system supporting 18+ identity providers with standardized configuration patterns.
64
65
```python { .api }
66
# ADFS Authentication
67
conn = redshift_connector.connect(
68
credentials_provider='AdfsCredentialsProvider',
69
idp_host='adfs.company.com',
70
user='domain\\username',
71
password='password',
72
database='dev',
73
cluster_identifier='examplecluster'
74
)
75
76
# Azure AD Authentication
77
conn = redshift_connector.connect(
78
credentials_provider='AzureCredentialsProvider',
79
idp_host='login.microsoftonline.com',
80
client_id='12345678-1234-1234-1234-123456789012',
81
client_secret='client_secret_value',
82
idp_tenant='company.onmicrosoft.com',
83
database='dev',
84
cluster_identifier='examplecluster'
85
)
86
87
# Okta Authentication
88
conn = redshift_connector.connect(
89
credentials_provider='OktaCredentialsProvider',
90
idp_host='company.okta.com',
91
app_id='redshift_app_id',
92
app_name='amazon_aws_redshift',
93
user='username',
94
password='password',
95
database='dev',
96
cluster_identifier='examplecluster'
97
)
98
99
# Ping Identity Authentication
100
conn = redshift_connector.connect(
101
credentials_provider='PingCredentialsProvider',
102
idp_host='sso.company.com',
103
partner_sp_id='urn:amazon:webservices',
104
user='username',
105
password='password',
106
database='dev',
107
cluster_identifier='examplecluster'
108
)
109
```
110
111
### Browser-Based Authentication
112
113
Interactive authentication flows using system web browser for enhanced security and user experience.
114
115
```python { .api }
116
# Browser-based Azure OAuth2
117
conn = redshift_connector.connect(
118
credentials_provider='BrowserAzureOAuth2CredentialsProvider',
119
client_id='12345678-1234-1234-1234-123456789012',
120
idp_tenant='company.onmicrosoft.com',
121
scope='openid',
122
listen_port=7890,
123
database='dev',
124
cluster_identifier='examplecluster'
125
)
126
127
# Browser-based SAML
128
conn = redshift_connector.connect(
129
credentials_provider='BrowserSamlCredentialsProvider',
130
login_url='https://sso.company.com/saml/login',
131
listen_port=7890,
132
idp_response_timeout=120,
133
database='dev',
134
cluster_identifier='examplecluster'
135
)
136
137
# Browser-based IdC Authentication
138
conn = redshift_connector.connect(
139
credentials_provider='BrowserIdcAuthPlugin',
140
idc_region='us-west-2',
141
issuer_url='https://portal.sso.us-west-2.amazonaws.com',
142
idc_client_display_name='My Redshift Application',
143
database='dev',
144
cluster_identifier='examplecluster'
145
)
146
```
147
148
### JWT Authentication
149
150
JSON Web Token authentication support for modern identity systems and service-to-service authentication.
151
152
```python { .api }
153
# Basic JWT Authentication
154
conn = redshift_connector.connect(
155
credentials_provider='BasicJwtCredentialsProvider',
156
iam=True,
157
web_identity_token='eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...',
158
role_arn='arn:aws:iam::123456789012:role/RedshiftRole',
159
role_session_name='jwt-session',
160
database='dev',
161
cluster_identifier='examplecluster'
162
)
163
164
# IdP Token Authentication
165
conn = redshift_connector.connect(
166
credentials_provider='IdpTokenAuthPlugin',
167
token='access_token_value',
168
token_type='Bearer',
169
database='dev',
170
cluster_identifier='examplecluster'
171
)
172
```
173
174
### Authentication Plugin Classes
175
176
All authentication plugins implement standardized interfaces for consistent configuration and behavior.
177
178
```python { .api }
179
# Available Authentication Plugin Classes
180
class AdfsCredentialsProvider: ...
181
class AzureCredentialsProvider: ...
182
class BrowserAzureCredentialsProvider: ...
183
class BrowserAzureOAuth2CredentialsProvider: ...
184
class BrowserIdcAuthPlugin: ...
185
class BrowserSamlCredentialsProvider: ...
186
class CommonCredentialsProvider: ...
187
class IdpCredentialsProvider: ...
188
class IdpTokenAuthPlugin: ...
189
class BasicJwtCredentialsProvider: ...
190
class JwtCredentialsProvider: ...
191
class OktaCredentialsProvider: ...
192
class PingCredentialsProvider: ...
193
class SamlCredentialsProvider: ...
194
195
# Plugin Interface
196
class IPlugin:
197
"""Base interface for authentication plugins."""
198
def authenticate(self, info: RedshiftProperty) -> dict: ...
199
200
class INativePlugin:
201
"""Interface for native authentication plugins."""
202
def get_credentials(self) -> dict: ...
203
```
204
205
### SSL/TLS Configuration
206
207
Comprehensive SSL/TLS security configuration with certificate validation and encryption options.
208
209
```python { .api }
210
# SSL Configuration Options
211
conn = redshift_connector.connect(
212
host='examplecluster.abc123xyz789.us-west-1.redshift.amazonaws.com',
213
ssl=True, # Enable SSL (default: True)
214
sslmode='verify-full', # SSL verification mode ('verify-ca', 'verify-full')
215
ssl_insecure=False, # Disable SSL certificate verification (NOT recommended for production)
216
database='dev',
217
user='awsuser',
218
password='password'
219
)
220
```
221
222
### Authentication Profiles
223
224
Named authentication profiles for simplified configuration management and reuse across applications.
225
226
```python { .api }
227
# Using Authentication Profile
228
conn = redshift_connector.connect(
229
auth_profile='production-profile',
230
database='dev'
231
)
232
233
# Authentication profiles are defined externally and contain
234
# connection properties as JSON configuration
235
```
236
237
### Security Utilities
238
239
Helper classes and functions for secure credential management and authentication workflows.
240
241
```python { .api }
242
class IamHelper:
243
"""Helper class for IAM authentication operations."""
244
245
class IAMAuthenticationType(Enum):
246
NONE = "none"
247
PROFILE = "profile"
248
IAM_KEYS = "iam_keys"
249
IAM_KEYS_WITH_SESSION = "iam_keys_with_session"
250
PLUGIN = "plugin"
251
252
class GetClusterCredentialsAPIType(Enum):
253
SERVERLESS_V1 = "get_credentials()"
254
IAM_V1 = "get_cluster_credentials()"
255
IAM_V2 = "get_cluster_credentials_with_iam()"
256
257
@staticmethod
258
def set_iam_properties(info: RedshiftProperty) -> None:
259
"""Configure IAM properties for authentication."""
260
261
class RedshiftProperty:
262
"""Container for connection properties with secure handling."""
263
264
def put(self, key: str, value) -> None:
265
"""Set a connection property value."""
266
267
def get(self, key: str):
268
"""Get a connection property value."""
269
270
# Utility Functions
271
def mask_secure_info_in_props(props: RedshiftProperty) -> RedshiftProperty:
272
"""Create a copy of properties with sensitive values masked for logging."""
273
```
274
275
### Group Federation and Advanced IAM
276
277
Advanced IAM features including group federation and IAM identity center integration.
278
279
```python { .api }
280
# Group Federation Support
281
conn = redshift_connector.connect(
282
iam=True,
283
group_federation=True, # Enable IAM group-based access
284
db_groups=['analysts', 'data_engineers'],
285
auto_create=True, # Auto-create user if not exists
286
database='dev',
287
cluster_identifier='examplecluster'
288
)
289
290
# Identity Center Integration
291
conn = redshift_connector.connect(
292
credentials_provider='BrowserIdcAuthPlugin',
293
identity_namespace='my-identity-namespace',
294
idc_region='us-west-2',
295
database='dev',
296
cluster_identifier='examplecluster'
297
)
298
```