Federate AWS Redshift access using Keycloak

Hi All,
I have a requirement where user should be able to access AWS Redshift using federated access (i.e. system/AD/SSO credentials) instead of cluster user credentials, when connecting from tools like DBeaver/SQL Workbench.

I was able to connect to AWS Management console and access s3 & view Redshift cluster using federated access via Keycloak. However when I am trying to connect Redshift from DBeaver but it is not working. It opens an auth window of Keycloak in browser and user is able to authenticate and see AWS console, however the DBeaver is not receiving token and request gets timed out. Below is my connection driver which I have configured:

jdbc:redshift:iam://{host}:{port}/{database}?login_url=https://&plugin_name=com.amazon.redshift.plugin.BrowserSamlCredentialsProvider

Seeking help to overcome this hurdle.

Thanks & Regards,
Shashwat

BrowserSamlCredentialsProvider gets SAML result from http://localhost:7890/redshit/ by browser’s redirect.

so you shoud set this url to keycloak client settings and AWS settings

KeyCloat’s Client Settings

• Valid Redirect URIs :

http://localhost:7890/redshift/

• Fine Grain SAML Endpoint Configuration/ Assertion Consumer Service POST Binding URL:

http://localhost:7890/redshift/

AWS Settings

set your redshift role’s trust relationship like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::{your aws account no}:saml-provider/{you provider name}"
      },
      "Action": "sts:AssumeRoleWithSAML",
      "Condition": {
        "StringEquals": {
          "SAML:aud": "http://localhost:7890/redshift/"
        }
      }
    }
  ]
}

reference Use SAML 2.0 for SSO with Redshift :: Redshift Immersion Labs