How to edit the tag of my SSO Permission Sets to share my redshift Queries

0

Hello I'm an administrator and I keep receiving the following error. "To share a query with a team you need to have the principal tag 'sqlworkbench-team' set for your user or role." Context: I know the solution is to edit the tags of the roles/users that work on the Redshift Cluster, but the problem is not resolved when I've edited the tag of the Permission Sets that my users authenticate into and when i added the Redshift query editor v2 full access policy. I have not found anyway to edit the user group tag of all who work on the redshift clusters/cannot edit the SSO permission set tags in IAM. I only can edit the permission set in identity center and still redshift does not recognize the tags as the same team. Question: Do I have to just create a specific role so they can assume it then edit the tags there since the permission set im using is AWS provisioned then my users can share the notebooks? Or can i edit the tags of the permission sets (2 of them) that my users login with?

Taha
已提问 3 个月前220 查看次数
1 回答
1
已接受的回答

Hi,

As described in the AWS document [1], you can apply tags to permission sets only. You can't apply tags to the corresponding roles that AWS SSO creates in AWS accounts. Hence, when you add a tag to a permission sets, it does not reflect in the corresponding roles in IAM, and also were unable to add a tag directly to corresponding roles in IAM as the roles were created and managed by the AWS SSO service.

In this context, I would like to inform you that IAM Identity Center works different than IAM, it uses “User Property” instead of tags. And you also need to enable “Attributes for access control” to set attributes to link “Property” and tags that could be recognised in IAM.

Please following steps below to solve this issue :

  1. For the user in IAM Identity Center, set the user property "Department" to “accounting-team” [Kindly change this according to your use case].[2] (This will be the attribute used with the sqlworkbench-team tag to share queries)
  2. Enable Attribute-based access control (ABAC) in IAM Identity Center [3].
  3. Configure a new attribute with key = sqlworkbench-team and Value = ${path:enterprise.department} [4]. In this case, I'm using the value of “property” Department set in step 1. So all users from the same Department will have access to the shared query. you could use any “property” based on your use case.

Please also check AWSReservedSSO role in IAM, it should not have any tags like sqlworkbench-team. It should have relevant policies to access Redshift and query editor v2.

Thank you.

[1] https://docs.aws.amazon.com/singlesignon/latest/userguide/tagging.html

[2] https://docs.aws.amazon.com/singlesignon/latest/userguide/edituser.html

[3] https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-abac.html#enable-abac

[4] https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-abac.html#configure-abac-attributes

AWS
支持工程师
已回答 3 个月前
profile picture
专家
已审核 2 个月前
  • Hello Salindira,

    I've added the ABAC the same way you did and my Department Values all are the same for the users but still doesnt work. Can't attach a Screenshot but I double checked and I receive the same error in redshift. My Department value is AOC and im using the value of path:enterprise.department.

    It worked when i copy and pasted the attribute and value from the aws documentation in the following link https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容