使用IAM身份中心集成安全访问，可视化和分析Amazon RedShift数据

在当今数据驱动的世界中，安全访问，可视化和分析数据对于做出明智的业务决策至关重要。

In today’s data-driven world, securely accessing, visualizing, and analyzing data is essential for making informed business decisions. Tens of thousands of customers use Amazon Redshift for modern data analytics at scale, delivering up to three times better price-performance and seven times better throughput than other cloud data warehouses.

在当今数据驱动的世界中，安全访问，可视化和分析数据对于做出明智的业务决策至关重要。成千上万的客户使用亚马逊红移进行大规模的现代数据分析，最多比其他云数据仓库高达三倍的价格表现和吞吐量的七倍。

The Amazon Redshift Data API simplifies access to your Amazon Redshift data warehouse by removing the need to manage database drivers, connections, network configurations, data buffering, and more.

Amazon Redshift数据API通过删除需要管理数据库驱动程序，连接，网络配置，数据缓冲等的需要来简化对您亚马逊红移数据仓库的访问。

With the newly released feature of Amazon Redshift Data API support for single sign-on and trusted identity propagation, you can build data visualization applications that integrate single sign-on (SSO) and role-based access control (RBAC), simplifying user management while enforcing appropriate access to sensitive information.

借助Amazon Redshift Data API的新功能，为单签名和受信任的身份传播提供了支持，您可以构建数据可视化应用程序，该应用程序集成了单个登录（SSO）和基于角色的访问控制（RBAC），并简化了用户管理，同时强制执行适当的访问敏感信息。

For instance, a global sports gear company selling products across multiple regions needs to visualize its sales data, which includes country-level details. To maintain the right level of access, the company wants to restrict data visibility based on the user’s role and region. Regional sales managers should only see sales data for their specific region, such as North America or Europe. Conversely, the global sales executives require full access to the entire dataset, covering all countries.

例如，一家全球运动装备公司在多个地区销售产品需要可视化其销售数据，其中包括国家 /地区的详细信息。为了保持正确的访问级别，公司希望根据用户的角色和区域限制数据可见性。区域销售经理只能看到其特定地区的销售数据，例如北美或欧洲。相反，全球销售主管需要完全访问整个数据集，涵盖所有国家 /地区。

In this post, we dive into the newly released feature of Amazon Redshift Data API support for SSO, Amazon Redshift RBAC for row-level security (RLS) and column-level security (CLS), and trusted identity propagation with AWS Identity and Access Management Identity Center to let corporate identities connect to AWS services more easily and securely. We demonstrate how to integrate these services to create a data visualization application using Streamlit, providing secure, role-based access that simplifies user management while making sure that your organization can make data-driven decisions with enhanced security and ease.

在这篇文章中，我们深入研究了针对SSO的Amazon RedShift数据API支持，为SSO，Amazon RedShift RBAC用于行级安全性（RLS）和列级安全性（CLS）（CLS），以及具有AWS身份身份和访问管理身份的可信身份传播，以使公司身份更轻松地连接到AWS服务。我们演示了如何集成这些服务，以使用简化创建数据可视化应用程序，提供安全的，基于角色的访问，从而简化用户管理，同时确保您的组织可以以增强的安全性和轻松的方式做出数据驱动的决策。

We use multiple AWS services and open source tools to build a simple data visualization application with SSO to access data in Amazon Redshift with RBAC. The key components that power the solution are as follows:

我们使用多个AWS服务和开源工具来构建使用SSO的简单数据可视化应用程序，以使用RBAC访问Amazon Redshift的数据。为解决方案提供动力的关键组件如下：

The following diagram illustrates the solution architecture for SSO with the Redshift Data API using Identity and Access Management Identity Center.

下图使用身份和访问管理身份中心使用红移数据API说明了SSO的解决方案体系结构。

The user workflow for the data visualization application consists of the following steps:

数据可视化应用程序的用户工作流程包括以下步骤：

The setup consists of two main steps:

该设置包括两个主要步骤：

You should have the following prerequisites:

您应该有以下先决条件：

In this section, we walk through the steps to provision the resources for Identity and Access Management Identity Center, Amazon Redshift, and Okta.

在本节中，我们将详细介绍为身份和访问管理身份中心，亚马逊Redshift和Okta提供资源。

Complete the following steps to enable Identity and Access Management Identity Center and configure Okta as the IdP to manage user authentication and group provisioning:

完成以下步骤以启用身份和访问管理身份中心，并将OKTA配置为IDP，以管理用户身份验证和组提供：

The following screenshot shows the users synced in Identity and Access Management Identity Center using SCIM protocol.

以下屏幕截图显示了使用SCIM协议在身份和访问管理身份中心同步的用户。

Complete the following steps to create an Okta application to authenticate users accessing the Streamlit application:

完成以下步骤来创建OKTA应用程序，以身份验证用户访问简化应用程序：

Complete the following steps to create an Amazon Redshift Identity and Access Management Identity Center connection application to enable trusted identity propagation for secure authentication:

完成以下步骤，以创建亚马逊红移身份和访问管理身份中心连接应用程序，以启用可信赖的身份传播以进行安全身份验证：

We will enable trusted identity propagation and third-party IdP (Okta) on the customer managed application for the Redshift Data API in a later step instead of configuring it in the Amazon Redshift connection application.

我们将在稍后的一步中启用可信赖的身份传播和第三方IDP（OKTA），以便在Redshift Data API的客户托管应用程序上，而不是在Amazon Redshift Connection应用程序中配置它。

The following screenshot shows the Identity and Access Management Identity Center connection application created on the Amazon Redshift console.

以下屏幕截图显示了在Amazon Redshift控制台上创建的身份和访问管理身份中心连接应用程序。

The following screenshot shows groups assigned to the Amazon Redshift Identity and Access Management Identity Center connection for the managed application.

以下屏幕截图显示分配给Amazon Redshift身份和访问管理身份中心连接的组。

Provision a Redshift Serverless workgroup. For more details, refer to Creating a workgroup with a namespace.

提供无服务的无服务器工作组。有关更多详细信息，请参阅使用名称空间创建工作组。

Wait until the workgroup is available before continuing to the next steps.

等到工作组可用，然后继续下一步。

Next, you use the Amazon Redshift Query Editor V2 on the Amazon Redshift console to connect to the workgroup you just created. You create the tables and configure the Amazon Redshift roles corresponding to Okta groups for the groups in Identity and Access Management Identity Center and use the RBAC policy to grant users privileges to view data only for their regions. Complete the following steps:

接下来，您使用Amazon Redshift控制台上的Amazon Redshift查询编辑器V2连接到您刚创建的工作组。您可以创建表格并配置与身份和访问管理身份中心组的Okta组相对应的Amazon Redshift角色，并使用RBAC策略授予用户特权以仅查看其区域的数据。完成以下步骤：

Identity and Access Management will map the groups into the Redshift roles in the format of Namespace:IDCGroupName. For example, create the role name as AWSIDC:emea-sales and so on to match them with Okta group names synced in Identity and Access Management Identity Center. The users will be created automatically within the groups as they log in using SSO into Amazon Redshift.

身份和访问管理将以命名空间格式的红移角色映射到红移角色：idcgroupname。例如，将角色名称创建为AWSIDC：EMEA-SALES等，以与在身份和访问管理身份中心同步的Okta组名称匹配。用户将在组中在使用SSO登录到Amazon Redshift时自动创建。

In this section, we walk through the steps to download, configure, and run the Streamlit application.

在本节中，我们详细介绍下载，配置并运行简化应用程序的步骤。

In order to start a trusted identity propagation workflow and allow Amazon Redshift to make authorization decisions based on the users and groups from Identity and Access Management (provisioned from the external IdP), you need an identity-enhanced IAM role session.

为了启动可信赖的身份传播工作流程，并允许亚马逊RedShift根据身份和访问管理（从外部IDP提供）的用户和组做出授权决策，您需要一个身份增强的IAM角色会话。

This requires a couple of IAM roles and a customer managed application in Identity and Access Management to handle the trust relationship between the external IdP and Identity and Access Management and control access for the Redshift Data API client, in this case, the Streamlit application.

这需要几个IAM角色以及在身份和访问管理中的客户托管应用程序，以处理Redshift Data API客户端的外部IDP与身份管理以及访问访问之间的信任关系，在这种情况下为简化应用程序。

First, you create two IAM roles, then you create a customer managed application for the Streamlit application. Complete the following

首先，您创建两个IAM角色，然后为简化应用程序创建客户托管应用程序。完成以下内容