In today’s data-driven world, seamless and secure integration between platforms isn’t just a technical requirement — it’s a business imperative. Thanks to our partnership with AWS, we’re happy to announce that companies can now connect their AWS Redshift enterprise data warehouse to Salesforce Data Cloud without having to rely on providing username-password to establish the connection. Customers can now leverage Salesforce IDP as an identity provider* for secure and seamless connections with their data lakehouse. This enhancement simplifies connection setup, eliminates security risks associated with static credentials, and enables organizations to focus on what matters most — extracting insights and driving value from their data.
In this blog, we’ll review the benefits of using Salesforce as an identity provider and walk through the steps to set up Salesforce IDP in Data Cloud, connect to Amazon Redshift, and set up access permissions.
*An identity provider (IDP) is a system that authenticates users’ identities and authorizes their access to various applications and services by managing and verifying digital credentials.
About Amazon Redshift
Amazon Redshift is a fully managed, cloud-based data warehouse service offered by AWS. It enables organizations to analyze large volumes of data using SQL-based tools, supporting both structured and semi-structured data. Redshift is highly scalable, allowing users to start small and scale up as needed, and it integrates seamlessly with other AWS services. It leverages columnar storage and data compression for fast query performance and is optimized for high-throughput analytics workloads.
Connecting Data Cloud to AWS using static credentials
Traditionally, connecting Data Cloud to external systems like AWS Redshift required a manual process involving static credentials like usernames, passwords, and private keys. This method created several challenges :
- Security risks: Static credentials are inherently vulnerable as they are live for days and weeks, posing a risk of unauthorized access
- Operational complexity: Setting up connections required collaboration between Data Cloud and AWS administrators, often leading to delays
- Overhead: Enterprises typically have a policy requiring credential updates every 60 or 90 days, leading to unnecessary operational overhead in updating credentials across all relevant connections
Connecting Data Cloud to AWS using Salesforce IDP
The introduction of Salesforce IDP-based authentication addresses some of the most pressing challenges faced by organizations when connecting Salesforce Data Cloud with external AWS systems.
- Enhanced security: Static credentials, such as usernames and passwords, have been a longstanding security concern. With IDP-based authentication, customers can eliminate the need to store static credentials and update them whenever changed. Short-lived scoped tokens will ensure just-in-time access, reducing the risk of any phishing attacks.
- Streamlined collaboration : Setting up secure connections previously required significant manual coordination between Data Cloud and AWS administrators. This feature simplifies workflows, where Data Cloud admins can create new connections using the IAM roles configured by the AWS admin, leveraging Salesforce IDP as trusted identity provider, that align with their security frameworks. It also simplifies the connection setup time and avoids any maintenance steps required to manage passwords/private keys.
- Aligned with compliance and best practices: Organizations, especially those operating in regulated industries like financial services or healthcare, prioritize secure data access. By using IDP-based authentication, they can adhere to industry standards for identity and access management. It also reduce the risk of non-compliance, ensuring secure data operations at every step.
How to set up IDP authentication and AWS connection in Data Cloud
Let’s now take a look at the step-by-step process for setting up an AWS connector in Data Cloud using a secure connection leveraging Salesforce IDP.
Part 1 : Add Salesforce as an identity provider in AWS
- Log in to your AWS account, and in the navigation pane of IAM (Identity and Access Management), choose Identity providers, and then choose Add provider.
- For Configure provider, choose OpenID Connect.
- Enter the My Domain URL details for the provider URL and audience.
- Verify the information you provided and choose Add provider. IAM attempts to retrieve and use the top intermediate CA (certificate authority) thumbprint of the OIDC IdP server certificate to create the IAM OIDC identity provider.
| IdP Details in AWS Management Console | URL Format |
|---|---|
| Provider URL | <My Domain URL/services/connectors> |
| Audience | <My Domain URL> |
Tip: To find the My Domain URL of your org, go to Setup in Data Cloud org, then click Settings, and then Company Settings. Click My Domain to find your current My Domain URL. For more information, see My Domain documentation.
Part 2: Create the connection in Data Cloud to connect to AWS
To set up the connection with AWS in Data Cloud, follow these steps:
- In Data Cloud, go to Data Cloud Setup.
- Under Configuration, select Other Connectors.
- Click New.
- Under Source, select Amazon Redshift and click Next.
- In the next section, you’ll have two options: Authenticate using username/password or authenticate using Identity Provider Based. We will focus on the 2nd option in the blog.
- Choose the second option (Identity Provider Based) and you’ll notice a unique External ID. This is a unique ID (also known as a connection ID), and it will be used to create a trust relationship with AWS. Refer to Part 3, step 5 below (Adding Trust Relationship) to understand more.
- The next step is important — we have to provide the IAM role name created by the AWS admin, which is authorized by Salesforce IDP. Using this IAM role, Data Cloud can access the required AWS tables. Refer to Part 3 below (Create the IAM role in AWS) to understand how this role is created in AWS and how permissions are granted to it.
- To get the role details, obtain the Amazon Resource Name (ARN) value from the AWS IAM section.
- Then provide the ARN value into the IAM Role Name field of the Salesforce Active Connection dialog box.
- Next, add your JDBC URL in the Connection URL section. To get the JDBC URL, go to the Redshift cluster page and copy the JDBC URL in General information section.
- Add the database name from Redshift.
- Click on Test Connection and hit Save once connection is established.
- If you turn on ‘Private Network Route’, please ensure that you have created a private connect following the guidance in Establish an Inbound Connection with AWS.
- Once you have established a private connection, you should see a connection noted in the Private Connect section under Data Cloud Setup.
- Once the private connection is created, Use the Private Network Route toggle while creating the connection. Choose the private connection created in the above step in the Private Network Route textbox and the Redshift Cluster Identifier.
- For the Redshift Cluster Identifier for serverless connections, copy the workgroup name.
- If you are setting up a role for Redshift Workgroup (serverless), make sure your role is part of the pg_user list. To check if your role is part of the list, run the command
→ “select * from pg_user”.
If the role is not part of the list, create the db user with the same role name. To do this run the command.
→ create user IAMR:<username> password DISABLE; - If you’re setting up a role for Redshift Workgroup (serverless), ensure to grant read permissions on the schema with these statements.
GRANT USAGE ON SCHEMA idp_test TO "IAMR:<ROLE NAME>";
GRANT SELECT ON ALL TABLES IN SCHEMA idp_test TO "IAMR: <ROLE NAME>"; - Enter all the details and test the connection. Once it is established, hit Save, and now you’re ready to use this connection to create data streams.
Part 3: Create the IAM role in AWS
Once we’ve registered Salesforce IDP in AWS, we have to create a role in AWS for a Data Cloud user to access the AWS buckets (for more info, refer to Creating a role using custom trust policies).
Follow these steps to create a role:
- Go to the Roles section in left navigation panel in IAM.
- Click on Roles.
- Every role has two parts: Permissions and Trust Relationship.
- To add permissions, we have to provide details on which AWS resource this role can access and what actions this role can do (e.g., read/write/delete). The screenshot below shows required permissions for a particular role.
- Next, we need to add the Trust Relationship by providing details on which third-party IDP is authorizing this role. In our case, Salesforce IDP (registered in Part 1) is authorizing that this role can access the AWS buckets. It will also ask for details on which external identity (identified by External ID) this request will come from.
- 6. Once you have added both the Permissions Policy and Trust Relationship, click Save. Now, you’re ready to test the connection created in Part 2.
Improvements on the roadmap
At Salesforce, we believe in empowering organizations to unlock the full potential of their data ecosystems. If your business uses Amazon Redshift and Salesforce Data Cloud, this feature is designed with you in mind. Looking ahead, we’re committed to further enhancing this experience with more features to make this process seamless. Learn more about this feature or reach out to your Salesforce representative for guidance on getting started. Together, let’s build secure, scalable, and impactful data-driven solutions.
Resources
- Identity and access management in Amazon Redshift
- Adding IDP as trusted provider in AWS
- Set Up an Amazon Redshift Data Federation Connection
About the author
Gaurav Garg is a Senior Product Manager on the Salesforce Data Cloud product team. He is part of the ‘Bring your Own Lake – Zero Copy Data Federation’ product team, and closely works with leading data lake partners. You can follow him on LinkedIn.
The post Connect Data Cloud to Amazon Redshift Using Salesforce IDP appeared first on Salesforce Developers Blog.
