Open Fleid opened 3 weeks ago
Hi @Fleid , thank you for reaching out with this feature request. redshift-connector's role_arn
parameter is specific to JwtCredentialsProvider
, which is why you're seeing it ignored.
What I need is to pass all the parameters inline, not a source_profile.
Boto3 does not support this functionality at this time, but they have a long running issue, https://github.com/boto/botocore/issues/761, which tracks this feature request.
As such, the recommendation from the boto3 side is to take the following approach:
at this point, the temporary aws credentials can be passed directly to a redshift boto3 client, or in this case to redshift-connector. Below I've included a code snippit which shows how this can be done:
session = boto3.Session(
# create the session with your aws credentials
)
client = session.resource('sts')
creds = client.assume_role(
RoleArn=RoleArn,
RoleSessionName=RoleSessionName
)['Credentials']
# creds is the response payload from the assumeRole request. It has temporary AWS credentials which can now be
# passed to redshift-connector. See: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sts/client/assume_role.html
Regardless, this isn't very clean. Ideally, redshift-connector should be able to perform this role assumption internally using the steps I've provided above. As such, I will raise this feature request with the Redshift driver team so we can determine a path forward in improving the user experience for this scenario.
Thanks a lot @Brooke-white - will relay the info on my side as well :)
See this issue for context : https://github.com/dbt-labs/dbt-redshift/issues/842
The connector need to be able to support IAM Role via inline parameters in addition to via an AWS profile, the same way it does for IAM Users.
If I open a connection with
role_arn
,source_access_key_id
, andsource_secret_access_key
, currently it ignoresrole_arn
and uses the access key to open an IAM user connection. What I need instead is to leverage the access key to assume the role - see boto3 credentials, we're in the assume role provider chapter, particularly:What I need is to pass all the parameters inline, not a
source_profile
.