Connecting to Amazon Athena or Amazon Redshift using OAuth authentication requires that you set up AWS, set up Redshift or Athena as your data source, and set up details of the provider you are using, such as Google or Microsoft. Once this is done, you can configure Pyramid with the relevant details to enable the connection.
Note: This topic only describes setup for OAuth Single sign-on (SSO) authentication. For alternative connection options, see Athena or Redshift.
- Click here for more information about Single sign-on via OAuth
The Amazon data sources whose set up is described in this topic are:
- Amazon Athena.
- Amazon Redshift.
Process Overview
If you want to use OAuth Authentication, you first need to:
- Set up and configure an identity provider, such as Google or Microsoft.
- Set up and configure AWS with the correct details to enable data source authentication using your identity provider.
If your data source is Athena, you need to use the admin panel under Data > Custom Connectors to download the JDBC driver from the Connectors Marketplace and then upload it manually to Pyramid.
Lastly, you need to configure Pyramid. You need to set up multiple fields describing how to connect to OAuth and the settings inside AWS. This includes setting up a new identity provider (Open ID Connect), a role with a policy for access to Athena or Redshift, and a trust relationship with the provider account. The ARN for this role is required when setting up OAuth authentication in Pyramid.
Configure AWS Identity Provider
You must configure the AWS Identity provider such that Pyramid is able to connect to the data source using it. This is done by setting the roles to have trusted entities where the condition matches the value from identity provider.
- For more information, see the AWS documentation.
Global Settings
To connect to the data source using this method you need to set some global OAuth settings to match the provider details.
Important: You must always set the Redirect URL in the Global Settings, which are found on the Data > Global Settings page of the Admin Console.
- Click here for more details about these settings
Data Source Security Settings
The Pyramid configuration happens in the Data > Data Source page of the Admin Console. For Amazon Athena, this looks like:
Authentication Method
On the Security tab, select the OAuth Authentication Method and select one of the OAuth options:
- Single Sign-on (OAuth) - Specific User: All users of this data source will share and use the credentials and sign in code defined here.
- Single Sign-on (OAuth) - End User: Each user will be prompted to sign in when starting Pyramid or when connecting to the data source. This is a "one off" event. The user's sign in code will be stored and reused for subsequent data access. Pyramid will automatically refresh this as needed.
Note: There are also options to use other Authentication Methods; for Athena, Application Authentication and the Default AWS Credentials; and for Redshift, User and Password. These are non-OAuth and so outside of the scope of this topic. For more information, see Athena or Redshift.
The options in this topic allow you to connect using SSO OAuth Authentication. This type of authentication makes use of the user's credentials to connect and authenticate access to a data source. The process is often used in big organizations that have centralized security and are using one framework to secure all data assets.
Provider Settings
To use OAuth to connect to Athena or Redshift, you need to connect Athena or Redshift to an OAuth identity provider such as Azure or Google. Once this is set up and the authentication is working, you can provide details from the provider to Pyramid. You need to retrieve all of the options including Scope, Client ID, Client Secret, and so on from the Provider.
Connecting
If you are setting up Single Sign-on (OAuth) - Specific User, you should click Connect to connect to the data source and generate an OAuth refresh code once the provider settings are supplied.
Signing in to Pyramid
With the Authentication Method drop-down set to Single Sign-on (OAuth) - End User, each user will be prompted to sign in for individually authenticated data access.
With the Authentication Method drop-down set to Single Sign-on (OAuth) - Specific User, each user will share the provider account as well as the Client ID and Client Secret.
- Sign-In: Use this button to sign in to the provider (Google, Microsoft, and so on) to retrieve the OAuth Access Credentials.
- OAuth Access Credentials:Returned by the provider and used by Pyramid to connect to the provider account. This value is also known as a Refresh Code or Refresh Token.