amazon-web-services amazon-iam amazon-redshift-serverless aws-iam-identity-center

AWS Redshift Serverless IAM Identity Center Autnethication not working

I am trying to use Redshift Query Editor V2 authenticating via IAM Identity Center. These were my setup steps:

Created IAM Identity Center in the same region as the Serverless Workgroup
Created a Serverless Redshift instance (note I tried both private and publicly accessible workgroup, also being deployed on public subnets)
Create IAM Identity Center Application via the Redshift console and I have enabled the Query editor v2 application
Added the IAM IdC group containing my user (which is a group that has Administrator privilieges, therefore it is not a credentials limitation issue)
In Redshift (accessing it as superuser) I created an identity provider with this query:

CREATE IDENTITY PROVIDER "redshift-idc-app" TYPE AWSIDC
NAMESPACE 'awsidc'
APPLICATION_ARN 'arn:aws:sso::123456789012:application/ssoins-12345f67fe123d4/apl-a0b0a12dc123b1a4'
IAM_ROLE 'arn:aws:iam::123456789012:role/MyRedshiftRole';

Note the role has this trust relationship

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "redshift.amazonaws.com",
                    "redshift-serverless.amazonaws.com"
                ]
            },
            "Action": [
                "sts:AssumeRole",
                "sts:SetContext"
            ]
        }
    ]
}

and these permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "redshift:DescribeQev2IdcApplications",
                "redshift-serverless:ListNamespaces",
                "redshift-serverless:ListWorkgroups"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "AllowRetrievalOfRSMetadata"
        },
        {
            "Action": [
                "sso:DescribeApplication",
                "sso:DescribeInstance"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:sso::597598337678:application/ssoins-69876c8b1312f277/*",
                "arn:aws:sso:::instance/ssoins-69876c8b1312f277"
            ],
            "Sid": "AllowCreationOfIdPProvider"
        }
    ]
}

I ensured the role was created as expected:

SELECT * FROM SVV_IDENTITY_PROVIDERS;

Finally I created a role in Redshift with the namespace of the provider for the group that I assigned in the group section of the IAM Identity Center connection application:

CREATE ROLE <idcnamespace:rolename>;

-- See the available roles
SELECT * FROM SVV_ROLES;

and assign permissions on a schema inside one of the databases (note that I pre-created the schema in the given database as well):

GRANT USAGE ON SCHEMA <schema> TO ROLE "<idcnamespace:rolename>";
GRANT SELECT ON ALL TABLES IN SCHEMA <schema> TO ROLE "<idcnamespace:rolename>";

When I try to login I get this error on the QEV2 console: Databases couldn't be listed. However upon further investigation on Cloudtrail I can see these details on the event:

{
"errorCode": "InternalServerErrorException",
    "requestParameters": {
        "path": "/cluster/connect/",
        "data": "***",
        "version": "1.001"
    },
    "responseElements": {
        "result": false,
        "code": "ContainerStateException",
        "error": "Cannot get container for user AROAYWI5C7KHET6MY5CL5:<USERNAME>",
        "message": "Cannot get container for user AROAYWI5C7KHET6MY5CL5:<USERNAME>"
    }
}

I couldn't find anything in the documentation about this specific error. I basically followed this AWS guide step by step, yet no luck unfortunately :( Any help of what I might have messed up in the setup or elsewhere is much appreciated :)

UPDATE

The AWS team is probably working on something here, because now for the same setup/steps, the error has changed to an ISACGetSessionException.

"responseElements": {
        "result": false,
        "code": "ISACGetSessionException",
        "error": "Cannot get session information from ISAC",
        "message": "Cannot get session information from ISAC"
}

Can't really tell what the hell is going on here. I wish the AWS team was a bit more transparent on disclaiming that the IDC integration with Redshift Serverless is "experimental" to say the least... Will keep anyone posted on updates

Solution

One likely reason is that third-party cookies from amazon.com to amazonaws.com are blocked by your browser. You can check if this is happening in the Network tab by inspecting the Cookies on the sqlworkbench api requests. Check "show filtered out request cookies" to see whether these cookies are being blocked. You can see them highlighted in yellow.

The way to unblock these cookies will depend on the browser you're using. In Google Chrome, you can allow them by clicking the eye icon at the right end of the address bar.

You may then have to Delete Connection and then Create Connection.