Enabling trusted identity propagation in QuickSight
To configure QuickSight to connect to Amazon Redshift data sources with trusted identity propagation, configure Amazon Redshift OAuth scopes to your QuickSight account.
To add a scope that allows QuickSight to authorize identity propagation
to Amazon Redshift, specify the AWS account ID of the QuickSight account and the service that you want to authorize
identity propagation with, in this case
'REDSHIFT'
.
Specify the IAM Identity Center application ARN of the Amazon Redshift cluster that you are authorizing Amazon QuickSight to propagate user identities to. This information can be found in the Amazon Redshift console. If you don't specify authorized targets for the Amazon Redshift scope, QuickSight authorizes users from any Amazon Redshift cluster that share the same IAM Identity Center instance. The example below configures QuickSight to connect to Amazon Redshift data sources with trusted identity propagation.
aws quicksight update-identity-propagation-config --aws-account-id "
AWSACCOUNTID
" --service "REDSHIFT" --authorized-targets "arn:aws:sso::XXXXXXXXXXXX
:application/ssoins-XXXXXXXXXXXX
/apl-XXXXXXXXXXXX
" "arn:aws:sso::XXXXXXXXXXXX
:application/ssoins-XXXXXXXXXXXX
/apl-XXXXXXXXXXXX
"
The following example deletes OAuth scopes from a QuickSight account.
aws quicksight delete-identity-propagation-config --aws-account-id "
AWSACCOUNTID
" --service "REDSHIFT" --authorized-targets "arn:aws:sso::
"arn:aws:sso::XXXXXXXXXXXX
:application/ssoins-XXXXXXXXXXXX
apl-XXXXXXXXXXXX
XXXXXXXXXXXX
:application/ssoins-XXXXXXXXXXXX
/apl-XXXXXXXXXXXX
"
The following example lists all OAuth scopes that are currently on a QuickSight account.
aws quicksight list-identity-propagation-configs --aws-account-id "
AWSACCOUNTID
"