How to edit the tag of my SSO Permission Sets to share my redshift Queries


Hello I'm an administrator and I keep receiving the following error. "To share a query with a team you need to have the principal tag 'sqlworkbench-team' set for your user or role." Context: I know the solution is to edit the tags of the roles/users that work on the Redshift Cluster, but the problem is not resolved when I've edited the tag of the Permission Sets that my users authenticate into and when i added the Redshift query editor v2 full access policy. I have not found anyway to edit the user group tag of all who work on the redshift clusters/cannot edit the SSO permission set tags in IAM. I only can edit the permission set in identity center and still redshift does not recognize the tags as the same team. Question: Do I have to just create a specific role so they can assume it then edit the tags there since the permission set im using is AWS provisioned then my users can share the notebooks? Or can i edit the tags of the permission sets (2 of them) that my users login with?

已提问 3 个月前220 查看次数
1 回答


As described in the AWS document [1], you can apply tags to permission sets only. You can't apply tags to the corresponding roles that AWS SSO creates in AWS accounts. Hence, when you add a tag to a permission sets, it does not reflect in the corresponding roles in IAM, and also were unable to add a tag directly to corresponding roles in IAM as the roles were created and managed by the AWS SSO service.

In this context, I would like to inform you that IAM Identity Center works different than IAM, it uses “User Property” instead of tags. And you also need to enable “Attributes for access control” to set attributes to link “Property” and tags that could be recognised in IAM.

Please following steps below to solve this issue :

  1. For the user in IAM Identity Center, set the user property "Department" to “accounting-team” [Kindly change this according to your use case].[2] (This will be the attribute used with the sqlworkbench-team tag to share queries)
  2. Enable Attribute-based access control (ABAC) in IAM Identity Center [3].
  3. Configure a new attribute with key = sqlworkbench-team and Value = ${path:enterprise.department} [4]. In this case, I'm using the value of “property” Department set in step 1. So all users from the same Department will have access to the shared query. you could use any “property” based on your use case.

Please also check AWSReservedSSO role in IAM, it should not have any tags like sqlworkbench-team. It should have relevant policies to access Redshift and query editor v2.

Thank you.





已回答 3 个月前
profile picture
已审核 2 个月前
  • Hello Salindira,

    I've added the ABAC the same way you did and my Department Values all are the same for the users but still doesnt work. Can't attach a Screenshot but I double checked and I receive the same error in redshift. My Department value is AOC and im using the value of path:enterprise.department.

    It worked when i copy and pasted the attribute and value from the aws documentation in the following link

您未登录。 登录 发布回答。