|
I’m happy to announce a brand new use case primarily based on trusted id propagation, a lately launched functionality of AWS IAM Id Middle.
Tableau, a generally used enterprise intelligence (BI) software, can now propagate end-user id right down to Amazon Redshift. This has a triple profit. It simplifies the sign-in expertise for finish customers. It permits knowledge homeowners to outline entry primarily based on actual end-user id. It permits auditors to confirm knowledge entry by customers.
Trusted id propagation permits purposes that devour knowledge (similar to Tableau, Amazon QuickSight, Amazon Redshift Question Editor, Amazon EMR Studio, and others) to propagate the consumer’s id and group memberships to the providers that retailer and handle entry to the information, similar to Amazon Redshift, Amazon Athena, Amazon Easy Storage Service (Amazon S3), Amazon EMR, and others. Trusted id propagation is a functionality of IAM Id Middle that improves the sign-in expertise throughout a number of analytics purposes, simplifies knowledge entry administration, and simplifies audit. Finish customers profit from single sign-on and wouldn’t have to specify the IAM roles they need to assume to hook up with the system.
Earlier than diving into extra particulars, let’s agree on terminology.
I take advantage of the time period “id suppliers” to discuss with the programs that maintain consumer identities and group memberships. These are the programs that immediate the consumer for credentials and carry out the authentication. For instance, Azure Listing, Okta, Ping Id, and extra. Examine the total listing of id suppliers we assist.
I take advantage of the time period “user-facing purposes” to designate the purposes that devour knowledge, similar to Tableau, Microsoft PowerBI, QuickSight, Amazon Redshift Question Editor, and others.
And eventually, once I write “downstream providers”, I discuss with the analytics engines and storage providers that course of, retailer, or handle entry to your knowledge: Amazon Redshift, Athena, S3, EMR, and others.
To know the advantage of trusted id propagation, let’s briefly speak about how knowledge entry was granted till at this time. When a user-facing software accesses knowledge from a downstream service, both the upstream service makes use of generic credentials (similar to “tableau_user“) or assumes an IAM function to authenticate in opposition to the downstream service. That is the supply of two challenges.
First, it makes it troublesome for the downstream service administrator to outline entry insurance policies which might be fine-tuned for the precise consumer making the request. As seen from the downstream service, all requests originate from that widespread consumer or IAM function. If Jeff and Jane are each mapped to the BusinessAnalytics IAM function, then it’s not attainable to offer them totally different ranges of entry, for instance, readonly and read-write. Moreover, if Jeff can be within the Finance group, he wants to decide on a job during which to function; he can’t entry knowledge from each teams in the identical session.
Secondly, the duty of associating a data-access occasion to an finish consumer entails some undifferentiated heavy lifting. If the request originates from an IAM function referred to as BusinessAnalytics, then further work is required to determine which consumer was behind that motion.
Nicely, this specific instance would possibly look quite simple, however in actual life, organizations have tons of of customers and hundreds of teams to match to tons of of datasets. There was a chance for us to Invent and Simplify.
As soon as configured, the brand new trusted id propagation gives a technical mechanism for user-facing purposes to entry knowledge on behalf of the particular consumer behind the keyboard. Understanding the precise consumer id presents three fundamental benefits.
First, it permits downstream service directors to create and handle entry insurance policies primarily based on precise consumer identities, the teams they belong to, or a mixture of the 2. Downstream service directors can now assign entry by way of customers, teams, and datasets. That is the way in which most of our prospects naturally take into consideration entry to knowledge—intermediate mappings to IAM roles are now not obligatory to realize these patterns.
Second, auditors now have entry to the authentic consumer id in system logs and might confirm that insurance policies are applied accurately and observe all necessities of the corporate or industry-level insurance policies.
Third, customers of BI purposes can profit from single sign-on between purposes. Your end-users now not want to grasp your organization’s AWS accounts and IAM roles. As an alternative, they’ll sign up to EMR Studio (for instance) utilizing their company single sign-on that they’re used to for therefore many different issues they do at work.
How does trusted id propagation work?
Trusted id propagation depends on normal mechanisms from our {industry}: OAuth2 and JWT. OAuth2 is an open normal for entry delegation that permits customers to grant third-party user-facing purposes entry to knowledge on different providers (downstream providers) with out exposing their credentials. JWT (JSON Internet Token) is a compact, URL-safe technique of representing identities and claims to be transferred between two events. JWTs are signed, which suggests their integrity and authenticity could be verified.
The right way to configure trusted id propagation
Configuring trusted id propagation requires setup in IAM Id Middle, on the user-facing software, and on the downstream service as a result of every of those must be instructed to work with end-user identities. Though the particulars might be totally different for every software, they may all observe this sample:
- Configure an id supply in AWS IAM Id Middle. AWS recommends enabling automated provisioning in case your id supplier helps it, as most do. Automated provisioning works by means of the SCIM synchronization normal to synchronize your listing customers and teams into IAM Id Middle. You most likely have configured this already when you presently use IAM Id Middle to federate your workforce into the AWS Administration Console. It is a one-time configuration, and also you don’t should repeat this step for every user-facing software.
- Configure your user-facing software to authenticate its customers along with your id supplier. For instance, configure Tableau to make use of Okta.
- Configure the connection between the user-facing software and the downstream service. For instance, configure Tableau to entry Amazon Redshift. In some circumstances, it requires utilizing the ODBC or JDBC driver for Redshift.
Then comes the configuration particular to trusted id propagation. For instance, think about your group has developed a user-facing net software that authenticates the customers along with your id supplier, and that you simply need to entry knowledge in AWS on behalf of the present authenticated consumer. For this use case, you’d create a trusted token issuer in IAM Id Middle. This highly effective new assemble provides you a solution to map your software’s authenticated customers to the customers in your IAM Id Middle listing in order that it will possibly make use of trusted id propagation. My colleague Becky wrote a weblog publish to point out you find out how to develop such an software. This extra configuration is required solely when utilizing third-party purposes, similar to Tableau, or a customer-developed software, that authenticate exterior of AWS. When utilizing user-facing purposes managed by AWS, similar to Amazon QuickSight, no additional setup is required.
Lastly, downstream service directors should configure the entry insurance policies primarily based on the consumer id and group memberships. The precise configuration varies from one downstream service to the opposite. If the applying reads or writes knowledge in Amazon S3, the information proprietor could use S3 Entry Grants within the Amazon S3 console to grant entry for customers and teams to prefixes in Amazon S3. If the applying makes queries to an Amazon Redshift knowledge warehouse, the information proprietor should configure IAM Id Middle trusted connection within the Amazon Redshift console and match the viewers declare (aud) from the id supplier.
Now that you’ve a high-level overview of the configuration, let’s dive into crucial half: the consumer expertise.
The top-user expertise
Though the exact expertise of the top consumer will clearly be totally different for various purposes, in all circumstances, it will likely be easier and extra acquainted to workforce customers than earlier than. The consumer interplay will start with a redirect-based authentication single sign-on move that takes the consumer to their id supplier, the place they’ll sign up with credentials, multi-factor authentication, and so forth.
Let’s take a look at the main points of how an finish consumer would possibly work together with Okta and Tableau when trusted id propagation has been configured.
Right here is an illustration of the move and the principle interactions between programs and providers.
Right here’s the way it goes.
1. As a consumer, I try and sign up to Tableau.
2. Tableau initiates a browser-based move and redirects to the Okta sign-in web page the place I can enter my sign-in credentials. On profitable authentication, Okta points an authentication token (ID and entry token) to Tableau.
3. Tableau initiates a JDBC reference to Amazon Redshift and consists of the entry token within the connection request. The Amazon Redshift JDBC driver makes a name to Amazon Redshift. As a result of your Amazon Redshift administrator enabled IAM Id Middle, Amazon Redshift forwards the entry token to IAM Id Middle.
4. IAM Id Middle verifies and validates the entry token and change the entry token for an Id Middle issued token.
5. Amazon Redshift will resolve the Id Middle token to find out the corresponding Id Middle consumer and authorize entry to the useful resource. Upon profitable authorization, I can join from Tableau to Amazon Redshift.
As soon as authenticated, I can begin to use Tableau as common.
And once I connect with Amazon Redshift Question Editor, I can observe the sys_query_history desk to test who was the consumer who made the question. It accurately studies awsidc:<electronic mail tackle>, the Okta electronic mail tackle I used once I related from Tableau.
You’ll be able to learn Tableau’s documentation for extra particulars about this configuration.
Pricing and availability
Trusted id propagation is supplied at no further price in the 26 AWS Areas the place AWS IAM Id Middle is on the market at this time.
Listed below are extra particulars about trusted id propagation and downstream service configurations.
Joyful studying!
With trusted id propagation, now you can configure analytics programs to propagate the precise consumer id, group membership, and attributes to AWS providers similar to Amazon Redshift, Amazon Athena, or Amazon S3. It simplifies the administration of entry insurance policies on these providers. It additionally permits auditors to confirm your group’s compliance posture to know the true id of customers accessing knowledge.
Get began now and configure your Tableau integration with Amazon Redshift.
PS: Writing a weblog publish at AWS is at all times a crew effort, even once you see just one identify underneath the publish title. On this case, I need to thank Eva Mineva, Laura Reith, and Roberto Migli for his or her much-appreciated assist in understanding the numerous subtleties and technical particulars of trusted id propagation.
