I followed this guideline to configure Redshift native IdP with AzureAD:
https://aws.amazon.com/blogs/big-data/integrate-amazon-redshift-native-idp-federation-with-microsoft-azure-ad-using-a-sql-client/
This creates redshift roles based on AAD group assigned to azure enterprise application dedicated for redshift. It works fine, but it appears it also creates additional redshift roles. Basically it reads ALL AAD groups of a current user (even those that are not assigned to enterprise app) and creates a redshift role for each.
Is that by design or I misconfigured something?
Example:
- redshift_access group is the only group assigned to Redshift's enterprise application
- user is added to redshift_access group
- redshift creates roles for all user's AAD groups that have nothing to do with redshift