You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The connector need to be able to support IAM Role via inline parameters in addition to via an AWS profile, the same way it does for IAM Users.
If I open a connection with role_arn, source_access_key_id, and source_secret_access_key, currently it ignores role_arn and uses the access key to open an IAM user connection.
What I need instead is to leverage the access key to assume the role - see boto3 credentials, we're in the assume role provider chapter, particularly:
If MFA authentication is not enabled then you only need to specify a role_arn and a source_profile.
What I need is to pass all the parameters inline, not a source_profile.
The text was updated successfully, but these errors were encountered:
Hi @Fleid , thank you for reaching out with this feature request. redshift-connector's role_arn parameter is specific to JwtCredentialsProvider, which is why you're seeing it ignored.
What I need is to pass all the parameters inline, not a source_profile.
Boto3 does not support this functionality at this time, but they have a long running issue, boto/botocore#761, which tracks this feature request.
As such, the recommendation from the boto3 side is to take the following approach:
creating a session with your inline credentials
creating a sts client
calling assume_role on the sts client, passing in your role_arn
retrieving the temporary aws credentials from the response payload from the call to assume_role
at this point, the temporary aws credentials can be passed directly to a redshift boto3 client, or in this case to redshift-connector. Below I've included a code snippit which shows how this can be done:
session = boto3.Session(
# create the session with your aws credentials
)
client = session.resource('sts')
creds = client.assume_role(
RoleArn=RoleArn,
RoleSessionName=RoleSessionName
)['Credentials']
# creds is the response payload from the assumeRole request. It has temporary AWS credentials which can now be
# passed to redshift-connector. See: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sts/client/assume_role.html
Regardless, this isn't very clean. Ideally, redshift-connector should be able to perform this role assumption internally using the steps I've provided above. As such, I will raise this feature request with the Redshift driver team so we can determine a path forward in improving the user experience for this scenario.
See this issue for context : dbt-labs/dbt-redshift#842
The connector need to be able to support IAM Role via inline parameters in addition to via an AWS profile, the same way it does for IAM Users.
If I open a connection with
role_arn
,source_access_key_id
, andsource_secret_access_key
, currently it ignoresrole_arn
and uses the access key to open an IAM user connection.What I need instead is to leverage the access key to assume the role - see boto3 credentials, we're in the assume role provider chapter, particularly:
What I need is to pass all the parameters inline, not a
source_profile
.The text was updated successfully, but these errors were encountered: