Skip to content

Streamline SSO Access to AWS Redshift Query Editor with Okta and Terraform

Published: at 12:00 AM

Introduction

AWS Redshift Query Editor v2 is a web-based tool that allows analysts to securely explore, share, and collaborate on data using SQL within a common notebook interface. It simplifies querying data with SQL and visualizing results with charts and graphs in just a few clicks.

Integrating Redshift Query Editor v2 with your identity provider (IdP) automatically redirects users to the Query Editor v2 console instead of the Amazon Redshift console. This setup enables seamless access to Amazon Redshift clusters via federated credentials, eliminating the need to manage individual database users and passwords.

In this blog post, we’ll focus on using Okta as the IdP and guide you through configuring your Okta application and AWS IAM permissions. We’ll also demonstrate how to restrict user access to only the Query Editor v2, preventing them from performing administrative functions on the AWS Management Console.

Table of contents

Open Table of contents

Create IAM Roles and Permissions

To enable Okta to access Amazon Redshift Query Editor v2, you need to create two IAM roles. The first role will be used by Okta to access the Redshift Query Editor, and the second role will establish a trust relationship between the IdP (Okta) and AWS. We’ll start by creating the role that Okta uses to access Amazon Redshift Query Editor v2. After setting up the Okta application, we’ll create the trust relationship role using the metadata from the Okta app.

data "aws_caller_identity" "current" {}
data "aws_region" "current" {}

data "aws_iam_policy_document" "assume_policy" {
  statement {
    effect = "Allow"
    actions = [
      "sts:AssumeRoleWithSAML",
      "sts:TagSession",
    ]

    principals {
      type        = "Federated"
      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:saml-provider/OktaRedshiftFederation"]
    }

    condition {
      test     = "StringEquals"
      variable = "SAML:aud"
      values   = ["https://signin.aws.amazon.com/saml"]
    }
  }
}

data "aws_iam_policy_document" "default" {
  statement {
    actions = [
      "redshift:GetClusterCredentials",
      "redshift:CreateClusterUser",
      "redshift:JoinGroup",
    ]
    resources = [
      "arn:aws:redshift:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:cluster:${local.redshift_cluster_id}",
      "arn:aws:redshift:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:dbuser:${local.redshift_cluster_id}/*",
      "arn:aws:redshift:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:dbgroup:${local.redshift_cluster_id}/admin",
      "arn:aws:redshift:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:dbgroup:${local.redshift_cluster_id}/datascientist",
      "arn:aws:redshift:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:dbname:${local.redshift_cluster_id}/*",
    ]
  }
}

resource "aws_iam_role" "default" {
  name               = "RedshiftQueryEditorFederation"
  assume_role_policy = data.aws_iam_policy_document.assume_policy.json

  tags = {
    environment = "dev"
    stack       = "redshift"
  }
}

resource "aws_iam_role_policy" "default" {
  name   = "RedshiftQueryEditorFederation"
  role   = aws_iam_role.default.id
  policy = data.aws_iam_policy_document.default.json
}

resource "aws_iam_role_policy_attachment" "default" {
  role       = aws_iam_role.default.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonRedshiftQueryEditorV2ReadSharing"
}

Set Up Okta Application

With the IAM role for Okta access created, configure the Okta SAML application and assign it to the necessary Okta groups.

data "okta_group" "admin" {
  name = "admin"
}

data "okta_group" "datascientist" {
  name = "datascientist"
}

resource "okta_app_saml" "redshift" {
  label               = "Redshift Query Editor v2"
  logo                = "${path.module}/images/redshift.png"
  preconfigured_app   = "amazon_aws"
  saml_version        = "2.0"
  default_relay_state = "https://${data.aws_region.current.name}.console.aws.amazon.com/sqlworkbench/home"

  app_settings_json = jsonencode({
    "awsEnvironmentType" : "aws.amazon",
    "appFilter" : "okta",
    "groupFilter" : "(?{{role}}[a-zA-Z0-9+=,.@\\-_]+)",
    "joinAllRoles" : false,
    "loginURL" : "https://console.aws.amazon.com/ec2/home",
    "roleValuePattern" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:saml-provider/OktaRedshiftFederation,${aws_iam_role.default.arn}",
    "sessionDuration" : 3600,
    "useGroupMapping" : true,
  })

  attribute_statements {
    type      = "EXPRESSION"
    name      = "https://aws.amazon.com/SAML/Attributes/PrincipalTag:RedshiftDbUser"
    namespace = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
    values    = ["user.username"]
  }

  attribute_statements {
    type      = "EXPRESSION"
    name      = "https://aws.amazon.com/SAML/Attributes/PrincipalTag:RedshiftDbGroups"
    namespace = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
    values    = ["String.join(\":\", isMemberOfGroupName(\"datascientist\") ? 'datascientist' : '',isMemberOfGroupName(\"admin\") ? 'admin' : '')"]
  }
}

resource "okta_app_group_assignments" "redshift" {
  app_id = okta_app_saml.redshift.id

  group {
    id = data.okta_group.datascientist.id
  }

  group {
    id = data.okta_group.admin.id
  }
}

Create IAM SAML Provider Role

After setting up the Okta application, create the IAM SAML provider to establish a trust relationship between Okta and AWS using the Okta metadata.

resource "aws_iam_saml_provider" "redshift_okta" {
  name                   = "OktaRedshiftFederation"
  saml_metadata_document = okta_app_saml.redshift.metadata

  tags = {
    environment = "dev"
    stack       = "redshift"
  }
}

Conclusion

In this blog post, we demonstrated how to securely federate SSO access to AWS Redshift Query Editor v2 using Okta as the identity provider, leveraging Terraform for seamless infrastructure management. By creating the necessary IAM roles and configuring the Okta SAML application, we established a robust trust relationship between Okta and AWS. This setup not only simplifies user access to Redshift Query Editor v2 but also enhances security by eliminating the need to share database users credentials. With this integration, your teams can efficiently explore, share, and collaborate on data, driving insightful decisions and streamlined operations.


Previous Post
How to Migrate Amazon Redshift to a Different Account and Region
Next Post
Enabling Cross-Account Access for AWS Lake Formation with Data Filters Using Terraform