Authorizing connections from Amazon QuickSight to Amazon Redshift clusters
Applies to: Enterprise Edition and Standard Edition |
Intended audience: System administrators |
You can provide access to Amazon Redshift data using three authentication methods: trusted identity propagation, run-as IAM role, or Amazon Redshift database credentials.
With trusted identity propagation, a user's identity is passed to Amazon Redshift with single sign-on that is managed by IAM Identity Center. A user that accesses a dashboard in QuickSight has their identity propagated to Amazon Redshift. In Amazon Redshift, fine grained data permissions are applied on the data before the data is presented in a QuickSight asset to the user. QuickSight authors can also connect to Amazon Redshift data sources without a password input or IAM role. If Amazon Redshift Spectrum is used, all permission management is centralized in Amazon Redshift. Trusted identity propagation is supported when QuickSight and Amazon Redshift use the same organization instance of IAM Identity Center. Trusted identity propagation is not currently supported for the following features.
-
SPICE datasets
-
Custom SQL on data sources
-
Alerts
-
Email reports
-
Amazon QuickSight Q
-
CSV, Excel, and PDF exports
-
Anomaly detection
For Amazon QuickSight to connect to an Amazon Redshift instance, you must create a new security group for that instance. This security group contains an inbound rule that authorizes access from the appropriate IP address range for the Amazon QuickSight servers in that AWS Region. To learn more about authorizing Amazon QuickSight connections, see Manually enabling access to an Amazon Redshift cluster in a VPC.
Enabling connection from Amazon QuickSight servers to your cluster is just one of several prerequisites for creating a data set based on an AWS database data source. For more information about what is required, see Creating a dataset from a database.