Support inline role_arn for IAM Role authentication

[Fleid]

See this issue for context : dbt-labs/dbt-redshift#842

The connector need to be able to support IAM Role via inline parameters in addition to via an AWS profile, the same way it does for IAM Users.

If I open a connection with role_arn, source_access_key_id, and source_secret_access_key, currently it ignores role_arn and uses the access key to open an IAM user connection.
What I need instead is to leverage the access key to assume the role - see boto3 credentials, we're in the assume role provider chapter, particularly:

If MFA authentication is not enabled then you only need to specify a role_arn and a source_profile.

What I need is to pass all the parameters inline, not a source_profile.

[Brooke-white]

Hi @Fleid , thank you for reaching out with this feature request. redshift-connector's role_arn parameter is specific to JwtCredentialsProvider, which is why you're seeing it ignored.

What I need is to pass all the parameters inline, not a source_profile.

Boto3 does not support this functionality at this time, but they have a long running issue, boto/botocore#761, which tracks this feature request.

As such, the recommendation from the boto3 side is to take the following approach:

1. creating a session with your inline credentials
2. creating a sts client
3. calling assume_role on the sts client, passing in your role_arn
4. retrieving the temporary aws credentials from the response payload from the call to assume_role

at this point, the temporary aws credentials can be passed directly to a redshift boto3 client, or in this case to redshift-connector. Below I've included a code snippit which shows how this can be done:

session = boto3.Session(
  # create the session with your aws credentials 
)
client = session.resource('sts')
creds = client.assume_role(
        RoleArn=RoleArn,
        RoleSessionName=RoleSessionName
)['Credentials'] 
# creds is the response payload from the assumeRole request. It has temporary AWS credentials which can now be
# passed to redshift-connector. See: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sts/client/assume_role.html

Regardless, this isn't very clean. Ideally, redshift-connector should be able to perform this role assumption internally using the steps I've provided above. As such, I will raise this feature request with the Redshift driver team so we can determine a path forward in improving the user experience for this scenario.

[Fleid]

Thanks a lot @Brooke-white - will relay the info on my side as well :)

[hf-13]

Hey @Brooke-white !

We’re working on setting up a cross-account connection to Redshift on Superset using IRSA. Currently, it isn’t possible to enhance connection strings with additional functions in this setup.

Would it be possible to add support for assuming roles directly in the Redshift connector? For example, introducing a parameter like assume_role_arn in the connection arguments would allow Superset to handle cross-account scenarios seamlessly. The connection could look something like this:

conn = redshift_connector.connect(
    iam=True,
    database="main",
    cluster_identifier="<cluster_identifier>",
    db_user="<user>",
    assume_role_arn="<desired_role_arn>",
)

In this scenario:

• Role A in Account A: Associated with Superset.
• Role B in Account B: Grants access to GetClusterCredentials on Redshift in Account B.
  The assume_role_arn parameter would enable Redshift Connector to assume the specified role (Role B) before establishing the connection.

Currently, we are using a profile and attaching an AWS config to the pod, but having native support in the library would greatly simplify and enhance this process.

Thank you!
Regards