adding IAM role authentication support for redshift #630
Conversation
|
Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: Whittier.
|
abbywh
changed the title
abbywh
force-pushed
the
Feature/iamr_auth
branch
from
26b6355 to
6075b92
Compare
abbywh
force-pushed
the
Feature/iamr_auth
branch
from
6075b92 to
5d4f3f5
Compare
|
Is this being tested now? Any chance we can reopen for tracking purposes? |
|
Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: Whittier.
|
|
Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: Whittier.
|
|
@abbywh looks like there's something wrong with your git setup and is throwing off our CLA check |
|
@colin-rogers-dbt do you have any documentation for your bot? I can explain what happened. I ammended the commit to remove my private email address in favor of my public, and you can see my email in the commit, but it's still blocking. I would happily parse through how to fix it (maybe a git filter repo?) if I can find some documentation around it. |
Committer: Abby Whittier <[email protected]>
* implement store-failures-as tests
* The first element of the result is the PID
* Debug-level logging of high-level message + SQL
* Using redshift_connector `cursor.fetchone()` returns `(<something>,)`
* Use cursor to call `select pg_terminate_backend({pid})` directly rather than using the `SQLConnectionManager`
---------
Co-authored-by: Mike Alfare <[email protected]>
abbywh
force-pushed
the
Feature/iamr_auth
branch
from
4a8cc19 to
48128e2
Compare
|
for anyone digging this up, make sure you update the config as given by the bot, then do |
|
@jiezhen-chen @soksamnanglim @sathiish-kumar y'all wanna take a look here as well? |
|
Instead of introducing a new |
|
@jiezhen-chen i also considered that option. would be happy to change it to that, but i was worried about muddling the error cases for the iam authentication. for example, consider i'm a user that wants to use IAM auth and omits the user field. the error i would get would be something like: I think this is mostly a stylistic choice that should be left to the maintainers. But we should add a note about that error message to the documentation if we choose to combine the routes. Just let me know which you would prefer knowing this and I will implement it 😃 |
|
@abbywh Having a IAMR auth method makes sense. I think that if you want to use GetClusterCredentialsWithIAM v2 where IAM role is used, you'd also need to set |
|
yes you are correct there was a mistake in my testing setup. I will make the changes to the tests that should catch this + that code change. |
|
Hi all, I would like to understand the progress of this issue since we would like to switch completely to IAM (not specifying user explicitly but rather through IAM) - thus IAMR would be great to have as soon as possible. |
|
+1. This not being deployed is still causing big issues for us. |
|
Hello everyone, this would actually be a game changer for us as in our current setup we still need to create all external schemas... |
|
Hey All, Any updates on when this feature may get shipped? Our team is currently waiting for this to begin adopting the IAM Auth |
|
@abbywh I'll be looking at this PR over the next week or so, with the intent of merging it within the next two weeks. Given the duration for which this has been open, I wanted to check with you to see if you're available to make updates, if needed. I don't mind taking it over, and I would do so in a way that you maintain credit for your contributions either way. But we prefer to offer the contributor the opportunity to complete the PR if so desired. |
|
I pushed the merge conflict resolution so that the branch can pull updates from |
There was a problem hiding this comment.
I left a few comments, mostly around aesthetics and issues arising from the de-coupling work.
The one thing that we'll need to add is an integration test verifying that we can connect with an IAM role. I need to setup some infra for that test to run in CI. In the meantime, we need to do a few things:
- add
REDSHIFT_TEST_IAM_ROLEandREDSHIFT_TEST_IAM_PROFILEto./test.env.examplehere - pull these new values into the test fixtures in
./tests/conftest.pyhere - create a test module for the new tests:
./tests/functional/adapter/test_auth_methods.py - create a test in the new module that connects via IAM role and runs a basic query to demonstrate access
The test should probably remove things like user for a positive test. And it's probably worth adding a negative test as well, by removing role.
|
In the interest of time, I will take over this PR in #781 and close this one. |
Committer: Abby Whittier [email protected]
resolves #623
docs dbt-labs/docs.getdbt.com/#
Problem
dbt-redshift currently does not natively support the redshift authentication method get-cluster-credentials-with-iam. A dbt customer using IAM roles as db users currently has no way to authenticate as those users.
Solution
There is now a new redshift connection method to authenticate as an IAM role, called IAMR. This strongly resembles the classic IAM authentication, except the user field is unnecessary.
Checklist