CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/pypi-redshift-connector

Amazon Redshift connector for Python implementing Python Database API Specification 2.0

Pending
Overview
Eval results
Files

authentication.mddocs/

Authentication and Security

Comprehensive authentication system supporting multiple identity providers, IAM roles, and security protocols. The redshift_connector provides enterprise-grade authentication capabilities including SAML, OAuth2, JWT, and browser-based authentication flows to integrate with existing identity infrastructure.

Capabilities

IAM Authentication

Direct integration with AWS Identity and Access Management for secure, temporary credential-based authentication using AWS profiles, access keys, or instance roles.

# IAM Authentication with AWS Profile
conn = redshift_connector.connect(
    iam=True,
    database='dev',
    db_user='awsuser', 
    cluster_identifier='examplecluster',
    profile='default'  # Uses ~/.aws/credentials
)

# IAM Authentication with Direct Credentials  
conn = redshift_connector.connect(
    iam=True,
    database='dev',
    db_user='awsuser',
    cluster_identifier='examplecluster',
    access_key_id='AKIAIOSFODNN7EXAMPLE',
    secret_access_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',
    region='us-west-2'
)

# IAM Authentication with Session Token
conn = redshift_connector.connect(
    iam=True,
    database='dev', 
    db_user='awsuser',
    cluster_identifier='examplecluster',
    access_key_id='AKIAIOSFODNN7EXAMPLE',
    secret_access_key='wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',
    session_token='AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE',
    region='us-west-2'
)

Serverless Authentication

Specialized authentication support for Amazon Redshift Serverless with workgroup-based access control.

# Serverless IAM Authentication
conn = redshift_connector.connect(
    iam=True,
    is_serverless=True,
    serverless_acct_id='123456789012',
    serverless_work_group='my-workgroup', 
    database='dev',
    db_user='awsuser',
    region='us-west-2'
)

Identity Provider Authentication Plugins

Extensible plugin system supporting 18+ identity providers with standardized configuration patterns.

# ADFS Authentication
conn = redshift_connector.connect(
    credentials_provider='AdfsCredentialsProvider',
    idp_host='adfs.company.com',
    user='domain\\username',
    password='password',
    database='dev',
    cluster_identifier='examplecluster'
)

# Azure AD Authentication
conn = redshift_connector.connect(
    credentials_provider='AzureCredentialsProvider',
    idp_host='login.microsoftonline.com',
    client_id='12345678-1234-1234-1234-123456789012',
    client_secret='client_secret_value',
    idp_tenant='company.onmicrosoft.com',
    database='dev',
    cluster_identifier='examplecluster'
)

# Okta Authentication
conn = redshift_connector.connect(
    credentials_provider='OktaCredentialsProvider',
    idp_host='company.okta.com',
    app_id='redshift_app_id',
    app_name='amazon_aws_redshift',
    user='username',
    password='password',
    database='dev',
    cluster_identifier='examplecluster'
)

# Ping Identity Authentication
conn = redshift_connector.connect(
    credentials_provider='PingCredentialsProvider',
    idp_host='sso.company.com',
    partner_sp_id='urn:amazon:webservices',
    user='username',
    password='password',
    database='dev',
    cluster_identifier='examplecluster'
)

Browser-Based Authentication

Interactive authentication flows using system web browser for enhanced security and user experience.

# Browser-based Azure OAuth2
conn = redshift_connector.connect(
    credentials_provider='BrowserAzureOAuth2CredentialsProvider',
    client_id='12345678-1234-1234-1234-123456789012',
    idp_tenant='company.onmicrosoft.com',
    scope='openid',
    listen_port=7890,
    database='dev',
    cluster_identifier='examplecluster'
)

# Browser-based SAML
conn = redshift_connector.connect(
    credentials_provider='BrowserSamlCredentialsProvider',
    login_url='https://sso.company.com/saml/login',
    listen_port=7890,
    idp_response_timeout=120,
    database='dev',
    cluster_identifier='examplecluster'
)

# Browser-based IdC Authentication
conn = redshift_connector.connect(
    credentials_provider='BrowserIdcAuthPlugin',
    idc_region='us-west-2',
    issuer_url='https://portal.sso.us-west-2.amazonaws.com',
    idc_client_display_name='My Redshift Application',
    database='dev',
    cluster_identifier='examplecluster'
)

JWT Authentication

JSON Web Token authentication support for modern identity systems and service-to-service authentication.

# Basic JWT Authentication
conn = redshift_connector.connect(
    credentials_provider='BasicJwtCredentialsProvider',
    iam=True,
    web_identity_token='eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...',
    role_arn='arn:aws:iam::123456789012:role/RedshiftRole',
    role_session_name='jwt-session',
    database='dev',
    cluster_identifier='examplecluster'
)

# IdP Token Authentication
conn = redshift_connector.connect(
    credentials_provider='IdpTokenAuthPlugin',
    token='access_token_value',
    token_type='Bearer',
    database='dev',
    cluster_identifier='examplecluster'
)

Authentication Plugin Classes

All authentication plugins implement standardized interfaces for consistent configuration and behavior.

# Available Authentication Plugin Classes
class AdfsCredentialsProvider: ...
class AzureCredentialsProvider: ...
class BrowserAzureCredentialsProvider: ...
class BrowserAzureOAuth2CredentialsProvider: ...  
class BrowserIdcAuthPlugin: ...
class BrowserSamlCredentialsProvider: ...
class CommonCredentialsProvider: ...
class IdpCredentialsProvider: ...
class IdpTokenAuthPlugin: ...
class BasicJwtCredentialsProvider: ...
class JwtCredentialsProvider: ...
class OktaCredentialsProvider: ...
class PingCredentialsProvider: ...
class SamlCredentialsProvider: ...

# Plugin Interface
class IPlugin:
    """Base interface for authentication plugins."""
    def authenticate(self, info: RedshiftProperty) -> dict: ...

class INativePlugin:
    """Interface for native authentication plugins."""
    def get_credentials(self) -> dict: ...

SSL/TLS Configuration

Comprehensive SSL/TLS security configuration with certificate validation and encryption options.

# SSL Configuration Options
conn = redshift_connector.connect(
    host='examplecluster.abc123xyz789.us-west-1.redshift.amazonaws.com',
    ssl=True,  # Enable SSL (default: True)
    sslmode='verify-full',  # SSL verification mode ('verify-ca', 'verify-full')
    ssl_insecure=False,  # Disable SSL certificate verification (NOT recommended for production)
    database='dev',
    user='awsuser',
    password='password'
)

Authentication Profiles

Named authentication profiles for simplified configuration management and reuse across applications.

# Using Authentication Profile
conn = redshift_connector.connect(
    auth_profile='production-profile',
    database='dev'
)

# Authentication profiles are defined externally and contain
# connection properties as JSON configuration

Security Utilities

Helper classes and functions for secure credential management and authentication workflows.

class IamHelper:
    """Helper class for IAM authentication operations."""
    
    class IAMAuthenticationType(Enum):
        NONE = "none"
        PROFILE = "profile" 
        IAM_KEYS = "iam_keys"
        IAM_KEYS_WITH_SESSION = "iam_keys_with_session"
        PLUGIN = "plugin"
    
    class GetClusterCredentialsAPIType(Enum):
        SERVERLESS_V1 = "get_credentials()"
        IAM_V1 = "get_cluster_credentials()"
        IAM_V2 = "get_cluster_credentials_with_iam()"
    
    @staticmethod
    def set_iam_properties(info: RedshiftProperty) -> None:
        """Configure IAM properties for authentication."""

class RedshiftProperty:
    """Container for connection properties with secure handling."""
    
    def put(self, key: str, value) -> None:
        """Set a connection property value."""
    
    def get(self, key: str): 
        """Get a connection property value."""

# Utility Functions
def mask_secure_info_in_props(props: RedshiftProperty) -> RedshiftProperty:
    """Create a copy of properties with sensitive values masked for logging."""

Group Federation and Advanced IAM

Advanced IAM features including group federation and IAM identity center integration.

# Group Federation Support
conn = redshift_connector.connect(
    iam=True,
    group_federation=True,  # Enable IAM group-based access
    db_groups=['analysts', 'data_engineers'],
    auto_create=True,  # Auto-create user if not exists
    database='dev',
    cluster_identifier='examplecluster'
)

# Identity Center Integration
conn = redshift_connector.connect(
    credentials_provider='BrowserIdcAuthPlugin',
    identity_namespace='my-identity-namespace',
    idc_region='us-west-2',
    database='dev',
    cluster_identifier='examplecluster'
)

Install with Tessl CLI

npx tessl i tessl/pypi-redshift-connector

docs

authentication.md

core-database.md

data-science.md

data-types.md

error-handling.md

index.md

metadata.md

tile.json