ALTER IDENTITY PROVIDER - Amazon Redshift

ALTER IDENTITY PROVIDER

Alters an identity provider to assign new parameters and values. When you run this command, all previously set parameter values are deleted before the new values are assigned. Only a superuser can alter an identity provider.

Syntax

ALTER IDENTITY PROVIDER identity_provider_name [PARAMETERS parameter_string] [NAMESPACE namespace] [IAM_ROLE iam_role] [AUTO_CREATE_ROLES [ TRUE [ { INCLUDE | EXCLUDE } GROUPS LIKE filter_pattern] | FALSE ] [DISABLE | ENABLE]

Parameters

identity_provider_name

Name of the new identity provider. For more information about valid names, see Names and identifiers.

parameter_string

A string containing a properly formatted JSON object that contains parameters and values required for the specific identity provider.

namespace

The organization namespace.

iam_role

The IAM role that provides permissions for the connection to IAM Identity Center. This parameter is applicable only when the identity-provider type is AWSIDC.

auto_create_roles

Enables or disables the auto-create role feature. The default is FALSE if no option is provided in the SQL, and TRUE if an option is provided without any value.

To include groups, specify INCLUDE. The default is empty, which means include all groups if AUTO_CREATES_ROLES is on.

To exclude groups, specify EXCLUDE. The default is empty, which means do not exclude any groups if AUTO_CREATES_ROLES is on.

DISABLE or ENABLE

Turns an identity provider on or off. The default is ENABLE

Examples

The following example alters an identity provider named oauth_standard. It applies specifically to when Microsoft Azure AD is the identity provider.

ALTER IDENTITY PROVIDER oauth_standard PARAMETERS '{"issuer":"https://sts.windows.net/2sdfdsf-d475-420d-b5ac-667adad7c702/", "client_id":"87f4aa26-78b7-410e-bf29-57b39929ef9a", "client_secret":"BUAH~ewrqewrqwerUUY^%tHe1oNZShoiU7", "audience":["https://analysis.windows.net/powerbi/connector/AmazonRedshift"] }'

The following sample shows how to set the identity-provider namespace. This can apply to Microsoft Azure AD, if it follows a statement like the previous sample, or to another identity provider. It can also apply to a case where you connect an existing Amazon Redshift provisioned cluster or Amazon Redshift Serverless workgroup to IAM Identity Center, if you have a connection set up through a managed application.

ALTER IDENTITY PROVIDER "my-redshift-idc-application" NAMESPACE 'MYCO';

The following sample sets the IAM role and works in the use case for configuring Redshift integration with IAM Identity Center.

ALTER IDENTITY PROVIDER "my-redshift-idc-application" IAM_ROLE 'arn:aws:iam::123456789012:role/myadministratorrole';

For more information about setting up a connection to IAM Identity Center from Redshift, see Connect Redshift with IAM Identity Center to give users a single sign-on experience.

Disabling an identity provider

The following sample statement shows how to disable an identity provider. When it's disabled, federated users from the identity provider can't login to the cluster until it's enabled again.

ALTER IDENTITY PROVIDER "redshift-idc-app" DISABLE;