|
I’m happy to announce a brand new use case based mostly on trusted identification propagation, a just lately launched functionality of AWS IAM Id Heart.
Tableau, a generally used enterprise intelligence (BI) software, can now propagate end-user identification right down to Amazon Redshift. This has a triple profit. It simplifies the sign-in expertise for finish customers. It permits information homeowners to outline entry based mostly on actual end-user identification. It permits auditors to confirm information entry by customers.
Trusted identification propagation permits functions that devour information (comparable to Tableau, Amazon QuickSight, Amazon Redshift Question Editor, Amazon EMR Studio, and others) to propagate the consumer’s identification and group memberships to the companies that retailer and handle entry to the info, comparable to Amazon Redshift, Amazon Athena, Amazon Easy Storage Service (Amazon S3), Amazon EMR, and others. Trusted identification propagation is a functionality of IAM Id Heart that improves the sign-in expertise throughout a number of analytics functions, simplifies information entry administration, and simplifies audit. Finish customers profit from single sign-on and don’t have to specify the IAM roles they wish to assume to hook up with the system.
Earlier than diving into extra particulars, let’s agree on terminology.
I take advantage of the time period “identification suppliers” to check with the methods that maintain consumer identities and group memberships. These are the methods that immediate the consumer for credentials and carry out the authentication. For instance, Azure Listing, Okta, Ping Id, and extra. Examine the total record of identification suppliers we assist.
I take advantage of the time period “user-facing functions” to designate the functions that devour information, comparable to Tableau, Microsoft PowerBI, QuickSight, Amazon Redshift Question Editor, and others.
And at last, once I write “downstream companies”, I check with the analytics engines and storage companies that course of, retailer, or handle entry to your information: Amazon Redshift, Athena, S3, EMR, and others.
To know the good thing about trusted identification propagation, let’s briefly speak about how information entry was granted till at present. When a user-facing software accesses information from a downstream service, both the upstream service makes use of generic credentials (comparable to “tableau_user“) or assumes an IAM function to authenticate in opposition to the downstream service. That is the supply of two challenges.
First, it makes it tough for the downstream service administrator to outline entry insurance policies which might be fine-tuned for the precise consumer making the request. As seen from the downstream service, all requests originate from that widespread consumer or IAM function. If Jeff and Jane are each mapped to the BusinessAnalytics IAM function, then it’s not potential to offer them completely different ranges of entry, for instance, readonly and read-write. Moreover, if Jeff can be within the Finance group, he wants to decide on a task by which to function; he can not entry information from each teams in the identical session.
Secondly, the duty of associating a data-access occasion to an finish consumer includes some undifferentiated heavy lifting. If the request originates from an IAM function known as BusinessAnalytics, then further work is required to determine which consumer was behind that motion.
Nicely, this explicit instance would possibly look quite simple, however in actual life, organizations have tons of of customers and hundreds of teams to match to tons of of datasets. There was a possibility for us to Invent and Simplify.
As soon as configured, the brand new trusted identification propagation offers a technical mechanism for user-facing functions to entry information on behalf of the particular consumer behind the keyboard. Understanding the precise consumer identification presents three primary benefits.
First, it permits downstream service directors to create and handle entry insurance policies based mostly on precise consumer identities, the teams they belong to, or a mix of the 2. Downstream service directors can now assign entry by way of customers, teams, and datasets. That is the way in which most of our prospects naturally take into consideration entry to information—intermediate mappings to IAM roles are now not needed to attain these patterns.
Second, auditors now have entry to the authentic consumer identification in system logs and may confirm that insurance policies are carried out accurately and observe all necessities of the corporate or industry-level insurance policies.
Third, customers of BI functions can profit from single sign-on between functions. Your end-users now not want to grasp your organization’s AWS accounts and IAM roles. As an alternative, they will check in to EMR Studio (for instance) utilizing their company single sign-on that they’re used to for thus many different issues they do at work.
How does trusted identification propagation work?
Trusted identification propagation depends on commonplace mechanisms from our {industry}: OAuth2 and JWT. OAuth2 is an open commonplace for entry delegation that permits customers to grant third-party user-facing functions entry to information on different companies (downstream companies) with out exposing their credentials. JWT (JSON Internet Token) is a compact, URL-safe technique of representing identities and claims to be transferred between two events. JWTs are signed, which implies their integrity and authenticity will be verified.
Learn how to configure trusted identification propagation
Configuring trusted identification propagation requires setup in IAM Id Heart, on the user-facing software, and on the downstream service as a result of every of those must be advised to work with end-user identities. Though the particulars will probably be completely different for every software, they are going to all observe this sample:
- Configure an identification supply in AWS IAM Id Heart. AWS recommends enabling automated provisioning in case your identification supplier helps it, as most do. Automated provisioning works via the SCIM synchronization commonplace to synchronize your listing customers and teams into IAM Id Heart. You in all probability have configured this already in case you at present use IAM Id Heart to federate your workforce into the AWS Administration Console. This can be a one-time configuration, and also you don’t must repeat this step for every user-facing software.
- Configure your user-facing software to authenticate its customers together with your identification supplier. For instance, configure Tableau to make use of Okta.
- Configure the connection between the user-facing software and the downstream service. For instance, configure Tableau to entry Amazon Redshift. In some instances, it requires utilizing the ODBC or JDBC driver for Redshift.
Then comes the configuration particular to trusted identification propagation. For instance, think about your group has developed a user-facing internet software that authenticates the customers together with your identification supplier, and that you just wish to entry information in AWS on behalf of the present authenticated consumer. For this use case, you’ll create a trusted token issuer in IAM Id Heart. This highly effective new assemble offers you a solution to map your software’s authenticated customers to the customers in your IAM Id Heart listing in order that it could actually make use of trusted identification propagation. My colleague Becky wrote a weblog put up to point out you tips on how to develop such an software. This extra configuration is required solely when utilizing third-party functions, comparable to Tableau, or a customer-developed software, that authenticate exterior of AWS. When utilizing user-facing functions managed by AWS, comparable to Amazon QuickSight, no additional setup is required.
Lastly, downstream service directors should configure the entry insurance policies based mostly on the consumer identification and group memberships. The precise configuration varies from one downstream service to the opposite. If the appliance reads or writes information in Amazon S3, the info proprietor could use S3 Entry Grants within the Amazon S3 console to grant entry for customers and teams to prefixes in Amazon S3. If the appliance makes queries to an Amazon Redshift information warehouse, the info proprietor should configure IAM Id Heart trusted connection within the Amazon Redshift console and match the viewers declare (aud) from the identification supplier.
Now that you’ve got a high-level overview of the configuration, let’s dive into a very powerful half: the consumer expertise.
The top-user expertise
Though the exact expertise of the tip consumer will clearly be completely different for various functions, in all instances, will probably be easier and extra acquainted to workforce customers than earlier than. The consumer interplay will start with a redirect-based authentication single sign-on stream that takes the consumer to their identification supplier, the place they will check in with credentials, multi-factor authentication, and so forth.
Let’s have a look at the small print of how an finish consumer would possibly work together with Okta and Tableau when trusted identification propagation has been configured.
Right here is an illustration of the stream and the primary interactions between methods and companies.
Right here’s the way it goes.
1. As a consumer, I try and check in to Tableau.
2. Tableau initiates a browser-based stream and redirects to the Okta sign-in web page the place I can enter my sign-in credentials. On profitable authentication, Okta points an authentication token (ID and entry token) to Tableau.
3. Tableau initiates a JDBC reference to Amazon Redshift and consists of the entry token within the connection request. The Amazon Redshift JDBC driver makes a name to Amazon Redshift. As a result of your Amazon Redshift administrator enabled IAM Id Heart, Amazon Redshift forwards the entry token to IAM Id Heart.
4. IAM Id Heart verifies and validates the entry token and alternate the entry token for an Id Heart issued token.
5. Amazon Redshift will resolve the Id Heart token to find out the corresponding Id Heart consumer and authorize entry to the useful resource. Upon profitable authorization, I can join from Tableau to Amazon Redshift.
As soon as authenticated, I can begin to use Tableau as normal.
And once I hook up with Amazon Redshift Question Editor, I can observe the sys_query_history desk to examine who was the consumer who made the question. It accurately studies awsidc:<electronic mail tackle>, the Okta electronic mail tackle I used once I linked from Tableau.
You possibly can learn Tableau’s documentation for extra particulars about this configuration.
Pricing and availability
Trusted identification propagation is offered at no further value in the 26 AWS Areas the place AWS IAM Id Heart is offered at present.
Listed here are extra particulars about trusted identification propagation and downstream service configurations.
Completely satisfied studying!
With trusted identification propagation, now you can configure analytics methods to propagate the precise consumer identification, group membership, and attributes to AWS companies comparable to Amazon Redshift, Amazon Athena, or Amazon S3. It simplifies the administration of entry insurance policies on these companies. It additionally permits auditors to confirm your group’s compliance posture to know the true identification of customers accessing information.
Get began now and configure your Tableau integration with Amazon Redshift.
PS: Writing a weblog put up at AWS is all the time a crew effort, even once you see just one identify underneath the put up title. On this case, I wish to thank Eva Mineva, Laura Reith, and Roberto Migli for his or her much-appreciated assist in understanding the various subtleties and technical particulars of trusted identification propagation.