Support IAM Identity Center Authentication - browser and token based

[Fleid]

To support authentication to Redshift from 3rd party identity providers via IAM Identity Center, we need to add 2 authentication methods to dbt-redshift.

The first one is browser based, where we rely on the Redshift connector library to open up a browser session to get the proper creds: method: iam_idc_browser.

The second one is token based, where we expect the user to provide the required token, that we will relay to the Redshift connector library to establish the connection : method: iam_idc_token.

iam_idc_browser : Browser based authentication

See Authenticating with BrowserIdcAuthPlugin

Expected profile fields:

Option name	Required?	Description	Example
credentials_provider	Required	BrowserIdcAuthPlugin
idc_region	Required	The AWS Region where the AWS IAM Identity Center instance is located.	us-east-1
issuer_url	Required	The AWS IAM Identity Center server's instance endpoint. You can find this value using the AWS IAM Identity Center console.	https://identitycenter.amazonaws.com/ssoins-g5j2k70sn4yc5nsc
listen_port	Optional	The port that the Amazon Redshift driver uses to receive the auth_code response from AWS IAM Identity Center through the browser redirect.	7890
idc_client_display_name	Optional	The name that the AWS IAM Identity Center client uses for the application in the AWS IAM Identity Center's single sign-on consent popup.	Amazon Redshift driver
idp_response_timeout	Optional	The amount of time, in seconds, that the Redshift driver waits for the auth flow to complete.	60

Redshift connector call:

import redshift_connector

conn: redshift_connector.Connection = redshift_connector.connect(
    iam=True,
    database='dev',
    region='us-east-1',
    cluster_identifier='my-testing-cluster',
    ...
    
    credentials_provider='BrowserIdcAuthPlugin',
    idc_region='us-east-1',
    issuer_url='https://identitycenter.amazonaws.com/ssoins-g5j2k70sn4yc5nsc'
)

iam_idc_token : Token based authentication

See Authenticating with IdpTokenAuthPlugin

Expected profile fields:

Option name	Required?	Description
credentials_provider	Required	IdpTokenAuthPlugin
token	Required	An AWS IAM Identity Center vended access token or an OpenID Connect (OIDC) JSON Web Token (JWT) provided by a web identity provider that's connected with AWS IAM Identity Center. Your application must generate this token by authenticating your application user with AWS IAM Identity Center or an identity provider connected with AWS IAM Identity Center.
token_type	Required	The type of token used for IdpTokenAuthPlugin. Possible values are the following: ACCESS_TOKEN – Enter this if you use an AWS IAM Identity Center provided access token. EXT_JWT – Enter this if you use an OpenID Connect (OIDC) JSON Web Token (JWT) provided by a web-based identity provider that's connected with AWS IAM Identity Center.

Redshift connector call:

import redshift_connector

conn: redshift_connector.Connection = redshift_connector.connect(
    iam=True,
    database='dev',
    region='us-east-1',
    cluster_identifier='my-testing-cluster',
    ...
    
    credentials_provider='IdpTokenAuthPlugin',
    token_type='ACCESS_TOKEN',
    token='abcdefghijklmnopqrstuvwxyz'
)

Prerequisites

Setting up AWS IAM Identity Center integration with Amazon Redshift

[VersusFacit]

We have shipped half of this -- browser based IDC authentication. Note the redshift team has yet to ship a caching mechanism so any user of this auth method can expect several authentications for a single dbt run of a single model, followed by 2 or 3 for every included model thereafter. We eagerly await Redshift shipping that caching function and our team will do what is needed (if anything) to integrate it.