CREATE IDENTITY PROVIDER

Defines a new identity provider. Only a superuser can create an identity provider.

Syntax


CREATE IDENTITY PROVIDER identity_provider_name TYPE type_name
NAMESPACE namespace_name
[PARAMETERS parameter_string]
[APPLICATION_ARN arn]
[IAM_ROLE iam_role]
[AUTO_CREATE_ROLES
    [ TRUE [ { INCLUDE | EXCLUDE } GROUPS LIKE filter_pattern] |
      FALSE
    ]
  ];

Parameters

identity_provider_name

Name of the new identity provider. For more information about valid names, see Names and identifiers.

type_name

The identity provider to interface with. Azure is currently the only supported identity provider.

namespace_name

The namespace. This is a unique, shorthand identifier for the identity provider directory.

parameter_string

A string containing a properly formatted JSON object that contains parameters and values required for the identity provider.

arn

The Amazon resource name (ARN) for an IAM Identity Center managed application. This parameter is applicable only when the identity-provider type is AWSIDC.

iam_role

The IAM role that provides permissions to make the connection to IAM Identity Center. This parameter is applicable only when the identity-provider type is AWSIDC.

auto_create_roles

Enables or disables the auto-create role feature. The default is FALSE if no option is provided in the SQL, and TRUE if an option is provided without any value.

To include groups, specify INCLUDE. The default is empty, which means include all groups if AUTO_CREATES_ROLES is on.

To exclude groups, specify EXCLUDE. The default is empty, which means do not exclude any groups if AUTO_CREATES_ROLES is on.

Examples

The following example creates an identity provider named oauth_standard, with a TYPE azure, to establish communication with Microsoft Azure Active Directory (AD).


CREATE IDENTITY PROVIDER oauth_standard TYPE azure
NAMESPACE 'aad'
PARAMETERS '{"issuer":"https://sts.windows.net/2sdfdsf-d475-420d-b5ac-667adad7c702/",
"client_id":"87f4aa26-78b7-410e-bf29-57b39929ef9a",
"client_secret":"BUAH~ewrqewrqwerUUY^%tHe1oNZShoiU7",
"audience":["https://analysis.windows.net/powerbi/connector/AmazonRedshift"]
}'

You can connect an IAM Identity Center managed application with an existing provisioned cluster or Amazon Redshift Serverless workgroup. This gives you the ability to manage access to a Redshift database through IAM Identity Center. To do so, run a SQL command like the following sample. You have to be a database administrator.


CREATE IDENTITY PROVIDER "redshift-idc-app" TYPE AWSIDC
NAMESPACE 'awsidc'
APPLICATION_ARN 'arn:aws:sso::123456789012:application/ssoins-12345f67fe123d4/apl-a0b0a12dc123b1a4'
IAM_ROLE 'arn:aws:iam::123456789012:role/MyRedshiftRole';

The application ARN in this case identifies the managed application to connect to. You can find it by running SELECT * FROM SVV_IDENTITY_PROVIDERS;.

For more information about using CREATE IDENTITY PROVIDER, including additional examples, see Native identity provider (IdP) federation for Amazon Redshift. For more information about setting up a connection to IAM Identity Center from Redshift, see Connect Redshift with IAM Identity Center to give users a single sign-on experience.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

CREATE GROUP

CREATE LIBRARY