ALTER IDENTITY PROVIDER
Alters an identity provider to assign new parameters and values. When you run this command, all previously set parameter values are deleted before the new values are assigned. Only a superuser can alter an identity provider.
Syntax
ALTER IDENTITY PROVIDER identity_provider_name [PARAMETERS parameter_string] [NAMESPACE namespace] [IAM_ROLE iam_role] [AUTO_CREATE_ROLES [ TRUE [ { INCLUDE | EXCLUDE } GROUPS LIKE filter_pattern] | FALSE ] [DISABLE | ENABLE]
Parameters
- identity_provider_name
-
Name of the new identity provider. For more information about valid names, see Names and identifiers.
- parameter_string
-
A string containing a properly formatted JSON object that contains parameters and values required for the specific identity provider.
- namespace
-
The organization namespace.
- iam_role
-
The IAM role that provides permissions for the connection to IAM Identity Center. This parameter is applicable only when the identity-provider type is AWSIDC.
- auto_create_roles
-
Enables or disables the auto-create role feature. The default is
FALSE
if no option is provided in the SQL, andTRUE
if an option is provided without any value.To include groups, specify
INCLUDE
. The default is empty, which means include all groups ifAUTO_CREATES_ROLES
is on.To exclude groups, specify
EXCLUDE
. The default is empty, which means do not exclude any groups ifAUTO_CREATES_ROLES
is on. - DISABLE or ENABLE
-
Turns an identity provider on or off. The default is ENABLE
Examples
The following example alters an identity provider named oauth_standard. It applies specifically to when Microsoft Azure AD is the identity provider.
ALTER IDENTITY PROVIDER oauth_standard PARAMETERS '{"issuer":"https://sts.windows.net/2sdfdsf-d475-420d-b5ac-667adad7c702/", "client_id":"87f4aa26-78b7-410e-bf29-57b39929ef9a", "client_secret":"BUAH~ewrqewrqwerUUY^%tHe1oNZShoiU7", "audience":["https://analysis.windows.net/powerbi/connector/AmazonRedshift"] }'
The following sample shows how to set the identity-provider namespace. This can apply to Microsoft Azure AD, if it follows a statement like the previous sample, or to another identity provider. It can also apply to a case where you connect an existing Amazon Redshift provisioned cluster or Amazon Redshift Serverless workgroup to IAM Identity Center, if you have a connection set up through a managed application.
ALTER IDENTITY PROVIDER "my-redshift-idc-application" NAMESPACE 'MYCO';
The following sample sets the IAM role and works in the use case for configuring Redshift integration with IAM Identity Center.
ALTER IDENTITY PROVIDER "my-redshift-idc-application" IAM_ROLE 'arn:aws:iam::123456789012:role/myadministratorrole';
For more information about setting up a connection to IAM Identity Center from Redshift, see Connect Redshift with IAM Identity Center to give users a single sign-on experience.
Disabling an identity provider
The following sample statement shows how to disable an identity provider. When it's disabled, federated users from the identity provider can't login to the cluster until it's enabled again.
ALTER IDENTITY PROVIDER "redshift-idc-app" DISABLE;