iam role authenticated via Azure AD Workbench Redshift
Question
I have been trying to authenticate to redshift via IAM from workbench/J, and having followed various links : https://medium.com/tensult/aws-redshift-authentication-with-adfs-4ba423e2dc96 https://docs.amazonaws.cn/en_us/redshift/latest/mgmt/generating-user-credentials.html I still am unable to connect.
My Workbench looks like :
Driver : com.amazon.redshift.jdbc.Driver
url : jdbc:redshift:iam://<cluster-name>:<region>/<db>
username : org email id
password : org email id password
extended properties :
DbUser employeeid
idp_port 443
AutoCreate true
plugin_name com.amazon.redshift.plugin.AzureCredentialsProvider
idp_host domain-id
preferred_role arn-of-IAM-Role
The IAM Role has the following policy attached already :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"redshift:DescribeClusters",
"iam:ListRoles"
],
"Resource": "*"
},
{
"Sid": "GetClusterCredsStatement",
"Effect": "Allow",
"Action": [
"redshift:GetClusterCredentials"
],
"Resource": [
"arn:aws:redshift:*:*:dbname:<cluster>/<db>",
"arn:aws:redshift:*:*:dbuser:<cluster>/${Redshift:DbUser}",
"arn:aws:redshift:*:*:dbgroup:<cluster>/<dbgroup>"
]
},
{
"Sid": "CreateClusterUserStatement",
"Effect": "Allow",
"Action": [
"redshift:CreateClusterUser"
],
"Resource": [
"arn:aws:redshift:*:*:dbname:<cluster>/<db>",
"arn:aws:redshift:*:*:dbuser:<cluster>/${Redshift:DbUser}"
]
},
{
"Sid": "RedshiftJoinGroupStatement",
"Effect": "Allow",
"Action": [
"redshift:JoinGroup"
],
"Resource": [
"arn:aws:redshift:*:*:dbgroup:<cluster>/<dbgroup>"
]
}
]
}
The following Claim Rules have been added already too :
DbUser : user.employeeid
DbGroups : user.assignedroles
Role : the IAM role with policy attached above
RoleSessionName : user.userprincipalname
I can furnish more details but I have been simply following what these links say, I have working connections to redshift cluster otherwise.
Edit:
I traced sqlworkbench logs to find : Caused by: java.lang.NoClassDefFoundError: com/amazonaws/auth/profile/ProfilesConfigFile
Edit 2:
I launched sql workbench as :
java -Dworkbench.log.level=DEBUG -jar sqlworkbench.jar
and looking at the tail -f $Home/.sqlworkbench/workbench.log
to find out that I had a few jars missing like httpclient, httpcore, aws-sdk-java and a few more.
Now stuck at idp_tenant required parameter missing
Edit 2 : I have now progressed upto :
[JDBC Driver]SAML error: invalid_grant: AADSTS50126: Error validating credentials due to invalid username or password. Trace ID: 1c67cec4-bc2e-4140-bdc5-84e72ae50300 Correlation ID: 14be34b2-b9e2-49e5-8415-a388a8839c91 Timestamp: 2020-03-31 06:20:55Z
I could evenj decompile the Redshift Jar to look at the source code for AzureCredentialsProvider plugin - this is indeed something wrong at the Azure AD End now. WHile my username/password credentials are correct.
1 answers
solution1
0 2020-05-06 07:57:06
I ran into the same issue, and it's because the AWS SDK required for the plugin extension is not bundled with the driver jar.
There are 2 solutions:
- Make the AWS SDK available on the configured java path
- Download and use a redshift driver bundled with the AWS SDK
For simplicity, I went with the second option. It's a bit unclear from AWS docs but it looks like you have to go to the driver download documentation page and scroll down to the section "Use previous JDBC driver versions with the AWS SDK for Java" and select the latest driver from that list.
As further explanation, it looks like AzureCredentialsProvider is provided in the driver jar regardless (which is why you could find it), but the class required is the ProfilesConfigFile class (part of the AWS IAM sdk).
As another sidenote, I was using DataGrip.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.