Skip to content

Commit eabeda8

Browse files
bsod90claude
andauthored
docs(oidc): document OIDC auth on Redshift, Athena, and BigQuery driver pages (#11056)
Each driver page gains an OIDC subsection under Cube Cloud — presented as one more authentication option alongside static credentials / IAM auth, with a config example and a link to the relevant OIDC guide: - Athena: AWS_ROLE_ARN via the AWS SDK default chain (links #athena). - Redshift: AWS_ROLE_ARN + the existing IAM-authentication variables, no DB password (links the new #redshift guide section). - BigQuery: GCP_POOL_AUDIENCE + optional GCP_SERVICE_ACCOUNT_EMAIL instead of a key file (links #bigquery); CUBEJS_DB_BQ_KEY_FILE "required" relaxed with a footnote (it was already optional when CUBEJS_DB_BQ_CREDENTIALS is used). Adds a compact Redshift section to the AWS OIDC guide (trust policy shape shared with Athena; redshift:GetClusterCredentialsWithIAM permissions; deployment env vars) so the driver-page links land on a concrete anchor, and folds Redshift into the guide's description/intro. All examples cross-checked against the workload-identity design doc and the live implementation (the staging test-redshift-oidc deployment and the qa BigQuery/Athena OIDC e2e fixtures use exactly these variable sets). Also fixes a stray bold marker on the Athena page. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 8ef4b54 commit eabeda8

4 files changed

Lines changed: 133 additions & 7 deletions

File tree

docs-mintlify/admin/connect-to-data/data-sources/aws-athena.mdx

Lines changed: 21 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -58,13 +58,31 @@ Configuration** in your deployment.
5858

5959
</Info>
6060

61-
In Cube Cloud, select AWS Athena** when creating a new deployment and fill in
61+
In Cube Cloud, select **AWS Athena** when creating a new deployment and fill in
6262
the required fields:
6363

6464
<Frame>
6565
<img src="https://ucarecdn.com/d30fa31d-e6ea-4a73-9950-1786634a1e32/" alt="Cube Cloud AWS Athena Configuration Screen" />
6666
</Frame>
6767

68+
#### OIDC workload identity
69+
70+
Instead of static credentials, Cube Cloud deployments can authenticate to
71+
Athena with [OIDC workload identity][ref-oidc-aws-athena]: an IAM role in
72+
your account trusts Cube's OIDC issuer, and the driver assumes it through
73+
the AWS SDK's default credential chain — no access keys to provision or
74+
rotate.
75+
76+
```dotenv
77+
CUBEJS_DB_TYPE=athena
78+
AWS_ROLE_ARN=arn:aws:iam::123456789012:role/cube-deployment-acme
79+
CUBEJS_AWS_REGION=us-east-1
80+
CUBEJS_AWS_S3_OUTPUT_LOCATION=s3://my-athena-output-bucket
81+
```
82+
83+
See the [AWS OIDC guide][ref-oidc-aws-athena] for the IAM role, trust
84+
policy, and permissions setup.
85+
6886
Cube Cloud also supports connecting to data sources within private VPCs
6987
if [single-tenant infrastructure][ref-dedicated-infra] is used. Check out the
7088
[VPC connectivity guide][ref-cloud-conf-vpc] for details.
@@ -87,7 +105,7 @@ if [single-tenant infrastructure][ref-dedicated-infra] is used. Check out the
87105
| [`CUBEJS_DB_SCHEMA`](/reference/configuration/environment-variables#cubejs_db_schema) | The name of the schema to use as `information_schema` filter. Reduces count of tables loaded during schema generation. | A valid schema name ||
88106
| [`CUBEJS_CONCURRENCY`](/reference/configuration/environment-variables#cubejs_concurrency) | The number of [concurrent queries][ref-data-source-concurrency] to the data source | A valid number ||
89107

90-
<sup>1</sup> Either provide [`CUBEJS_AWS_KEY`](/reference/configuration/environment-variables#cubejs_aws_key) and [`CUBEJS_AWS_SECRET`](/reference/configuration/environment-variables#cubejs_aws_secret) for static credentials, or use [`CUBEJS_AWS_ATHENA_ASSUME_ROLE_ARN`](/reference/configuration/environment-variables#cubejs_aws_athena_assume_role_arn) for role-based authentication. When using role assumption without static credentials, the driver will use the AWS SDK's default credential chain (IAM instance profile, EKS IRSA, etc.).
108+
<sup>1</sup> Either provide [`CUBEJS_AWS_KEY`](/reference/configuration/environment-variables#cubejs_aws_key) and [`CUBEJS_AWS_SECRET`](/reference/configuration/environment-variables#cubejs_aws_secret) for static credentials, or use [`CUBEJS_AWS_ATHENA_ASSUME_ROLE_ARN`](/reference/configuration/environment-variables#cubejs_aws_athena_assume_role_arn) for role-based authentication. When using role assumption without static credentials, the driver will use the AWS SDK's default credential chain (IAM instance profile, EKS IRSA, or [OIDC workload identity][ref-oidc-aws-athena] in Cube Cloud).
91109

92110
[ref-data-source-concurrency]: /admin/connect-to-data/concurrency#data-source-concurrency
93111
## Pre-Aggregation Feature Support
@@ -171,5 +189,6 @@ connections are made over HTTPS.
171189
https://prestodb.io/docs/current/functions/aggregate.html#approximate-aggregate-functions
172190
[ref-caching-large-preaggs]: /docs/pre-aggregations/using-pre-aggregations#export-bucket
173191
[ref-caching-using-preaggs-build-strats]: /docs/pre-aggregations/using-pre-aggregations#pre-aggregation-build-strategies
192+
[ref-oidc-aws-athena]: /admin/deployment/oidc/aws#athena
174193
[ref-schema-ref-types-formats-countdistinctapprox]: /reference/data-modeling/measures#type
175194
[self-preaggs-batching]: #batching

docs-mintlify/admin/connect-to-data/data-sources/aws-redshift.mdx

Lines changed: 24 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -88,6 +88,28 @@ The following fields are required when creating an AWS Redshift connection:
8888
<img src="https://ucarecdn.com/4ccd3485-36fe-4740-9a11-0e8fb23fe8c3/" alt="Cube Cloud AWS Redshift Configuration Screen" />
8989
</Frame>
9090

91+
#### OIDC workload identity
92+
93+
Instead of a database password, Cube Cloud deployments can authenticate to
94+
Redshift with [OIDC workload identity][ref-oidc-aws-redshift]: an IAM role
95+
in your account trusts Cube's OIDC issuer, and the driver uses it to obtain
96+
temporary database credentials via [IAM authentication](#iam-authentication).
97+
Set `AWS_ROLE_ARN` alongside the IAM authentication variables and omit
98+
`CUBEJS_DB_USER` / `CUBEJS_DB_PASS`:
99+
100+
```dotenv
101+
CUBEJS_DB_TYPE=redshift
102+
AWS_ROLE_ARN=arn:aws:iam::123456789012:role/cube-deployment-acme
103+
CUBEJS_DB_HOST=my-redshift-cluster.xxx.eu-west-1.redshift.amazonaws.com
104+
CUBEJS_DB_NAME=my_redshift_database
105+
CUBEJS_DB_SSL=true
106+
CUBEJS_DB_REDSHIFT_AWS_REGION=eu-west-1
107+
CUBEJS_DB_REDSHIFT_CLUSTER_IDENTIFIER=my-redshift-cluster
108+
```
109+
110+
See the [AWS OIDC guide][ref-oidc-aws-redshift] for the IAM role, trust
111+
policy, and permissions setup.
112+
91113
Cube Cloud also supports connecting to data sources within private VPCs
92114
if [single-tenant infrastructure][ref-dedicated-infra] is used. Check out the
93115
[VPC connectivity guide][ref-cloud-conf-vpc] for details.
@@ -112,7 +134,7 @@ if [single-tenant infrastructure][ref-dedicated-infra] is used. Check out the
112134
| [`CUBEJS_DB_EXPORT_BUCKET_REDSHIFT_ARN`](/reference/configuration/environment-variables#cubejs_db_export_bucket_redshift_arn) | | ||
113135
| [`CUBEJS_CONCURRENCY`](/reference/configuration/environment-variables#cubejs_concurrency) | The number of [concurrent queries][ref-data-source-concurrency] to the data source | A valid number ||
114136

115-
<sup>1</sup> Required when using password-based authentication. When using IAM authentication, omit these and set [`CUBEJS_DB_REDSHIFT_CLUSTER_IDENTIFIER`](/reference/configuration/environment-variables#cubejs_db_redshift_cluster_identifier) and [`CUBEJS_DB_REDSHIFT_AWS_REGION`](/reference/configuration/environment-variables#cubejs_db_redshift_aws_region) instead. The driver uses the AWS SDK's default credential chain (IAM instance profile, EKS IRSA, etc.) to obtain temporary database credentials.
137+
<sup>1</sup> Required when using password-based authentication. When using IAM authentication, omit these and set [`CUBEJS_DB_REDSHIFT_CLUSTER_IDENTIFIER`](/reference/configuration/environment-variables#cubejs_db_redshift_cluster_identifier) and [`CUBEJS_DB_REDSHIFT_AWS_REGION`](/reference/configuration/environment-variables#cubejs_db_redshift_aws_region) instead. The driver uses the AWS SDK's default credential chain (IAM instance profile, EKS IRSA, or [OIDC workload identity][ref-oidc-aws-redshift] in Cube Cloud) to obtain temporary database credentials.
116138

117139
[ref-data-source-concurrency]: /admin/connect-to-data/concurrency#data-source-concurrency
118140
## Pre-Aggregation Feature Support
@@ -195,6 +217,7 @@ Database][ref-recipe-enable-ssl].
195217
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions
196218
[ref-caching-large-preaggs]: /docs/pre-aggregations/using-pre-aggregations#export-bucket
197219
[ref-caching-using-preaggs-build-strats]: /docs/pre-aggregations/using-pre-aggregations#pre-aggregation-build-strategies
220+
[ref-oidc-aws-redshift]: /admin/deployment/oidc/aws#redshift
198221
[ref-recipe-enable-ssl]: /recipes/configuration/using-ssl-connections-to-data-source
199222
[ref-schema-ref-types-formats-countdistinctapprox]: /reference/data-modeling/measures#type
200223
[self-preaggs-batching]: #batching

docs-mintlify/admin/connect-to-data/data-sources/google-bigquery.mdx

Lines changed: 31 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,9 @@ and **BigQuery Job User** roles enabled. If you plan to use pre-aggregations,
1313
the account will need the **BigQuery Data Editor** role instead of **BigQuery Data Viewer**.
1414
You can learn more about acquiring
1515
Google BigQuery credentials [here][bq-docs-getting-started].
16+
In Cube Cloud, you can authenticate with [OIDC workload identity
17+
federation][ref-oidc-gcp-bigquery] instead of a key file — the same roles
18+
apply to the impersonated service account.
1619

1720
</Info>
1821

@@ -59,6 +62,28 @@ The following fields are required when creating a BigQuery connection:
5962
<img src="https://ucarecdn.com/9fdfbd5d-5556-48b3-aa6e-fff0f24b30e9/" alt="Cube Cloud BigQuery Configuration Screen" />
6063
</Frame>
6164

65+
#### OIDC workload identity federation
66+
67+
Instead of a service account key file, Cube Cloud deployments can
68+
authenticate to BigQuery with [OIDC workload identity
69+
federation][ref-oidc-gcp-bigquery]: a Workload Identity Federation provider
70+
in your GCP project trusts Cube's OIDC issuer, and the driver authenticates
71+
through the GCP default credential chain — no JSON key to provision or
72+
rotate. Select **OIDC workload identity federation** in the connection
73+
wizard, or set the equivalent environment variables:
74+
75+
```dotenv
76+
CUBEJS_DB_TYPE=bigquery
77+
CUBEJS_DB_BQ_PROJECT_ID=my-bigquery-project-12345
78+
GCP_POOL_AUDIENCE=//iam.googleapis.com/projects/123456789/locations/global/workloadIdentityPools/cube-pool/providers/cube
79+
GCP_SERVICE_ACCOUNT_EMAIL=cube-deployment@my-bigquery-project-12345.iam.gserviceaccount.com
80+
```
81+
82+
`GCP_SERVICE_ACCOUNT_EMAIL` selects the service account Cube impersonates;
83+
leave it unset to authenticate as the federated principal directly. See the
84+
[GCP OIDC guide][ref-oidc-gcp-bigquery] for the Workload Identity Pool,
85+
provider, and IAM setup.
86+
6287
Cube Cloud also supports connecting to data sources within private VPCs
6388
if [single-tenant infrastructure][ref-dedicated-infra] is used. Check out the
6489
[VPC connectivity guide][ref-cloud-conf-vpc] for details.
@@ -70,14 +95,18 @@ if [single-tenant infrastructure][ref-dedicated-infra] is used. Check out the
7095
| Environment Variable | Description | Possible Values | Required |
7196
| ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------- | :------: |
7297
| [`CUBEJS_DB_BQ_PROJECT_ID`](/reference/configuration/environment-variables#cubejs_db_bq_project_id) | The Google BigQuery project ID to connect to | A valid Google BigQuery Project ID ||
73-
| [`CUBEJS_DB_BQ_KEY_FILE`](/reference/configuration/environment-variables#cubejs_db_bq_key_file) | The path to a JSON key file for connecting to Google BigQuery | A valid Google BigQuery JSON key file ||
98+
| [`CUBEJS_DB_BQ_KEY_FILE`](/reference/configuration/environment-variables#cubejs_db_bq_key_file) | The path to a JSON key file for connecting to Google BigQuery | A valid Google BigQuery JSON key file |<sup>1</sup> |
7499
| [`CUBEJS_DB_BQ_CREDENTIALS`](/reference/configuration/environment-variables#cubejs_db_bq_credentials) | A Base64 encoded JSON key file for connecting to Google BigQuery | A valid Google BigQuery JSON key file encoded as a Base64 string ||
75100
| [`CUBEJS_DB_BQ_LOCATION`](/reference/configuration/environment-variables#cubejs_db_bq_location) | The Google BigQuery dataset location to connect to. Required if used with pre-aggregations outside of US. If not set then BQ driver will fail with `Dataset was not found in location US` error | [A valid Google BigQuery regional location][bq-docs-regional-locations] | ⚠️ |
76101
| [`CUBEJS_DB_EXPORT_BUCKET`](/reference/configuration/environment-variables#cubejs_db_export_bucket) | The name of a bucket in cloud storage | A valid bucket name from cloud storage ||
77102
| [`CUBEJS_DB_EXPORT_BUCKET_TYPE`](/reference/configuration/environment-variables#cubejs_db_export_bucket_type) | The cloud provider where the bucket is hosted | `gcp` ||
78103
| [`CUBEJS_DB_MAX_POOL`](/reference/configuration/environment-variables#cubejs_db_max_pool) | The maximum number of concurrent database connections to pool. Default is `40` | A valid number ||
79104
| [`CUBEJS_CONCURRENCY`](/reference/configuration/environment-variables#cubejs_concurrency) | The number of [concurrent queries][ref-data-source-concurrency] to the data source | A valid number ||
80105

106+
<sup>1</sup> Not required when authenticating with [OIDC workload identity
107+
federation][ref-oidc-gcp-bigquery] in Cube Cloud, or when providing the key
108+
material via [`CUBEJS_DB_BQ_CREDENTIALS`](/reference/configuration/environment-variables#cubejs_db_bq_credentials).
109+
81110
[ref-data-source-concurrency]: /admin/connect-to-data/concurrency#data-source-concurrency
82111
## Pre-Aggregation Feature Support
83112

@@ -154,5 +183,6 @@ BigQuery connections are made over HTTPS.
154183
https://support.google.com/a/answer/7378726?hl=en
155184
[ref-caching-large-preaggs]: /docs/pre-aggregations/using-pre-aggregations#export-bucket
156185
[ref-caching-using-preaggs-build-strats]: /docs/pre-aggregations/using-pre-aggregations#pre-aggregation-build-strategies
186+
[ref-oidc-gcp-bigquery]: /admin/deployment/oidc/gcp#bigquery
157187
[ref-schema-ref-types-formats-countdistinctapprox]: /reference/data-modeling/measures#type
158188
[self-preaggs-batching]: #batching

docs-mintlify/admin/deployment/oidc/aws.mdx

Lines changed: 57 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,12 @@
11
---
22
title: AWS
33
sidebarTitle: AWS
4-
description: Configure AWS IAM trust for Cube's OIDC issuer and use it for Athena, S3 export buckets, Cube Store CSPS, and Bedrock.
4+
description: Configure AWS IAM trust for Cube's OIDC issuer and use it for Athena, Redshift, S3 export buckets, Cube Store CSPS, and Bedrock.
55
---
66

77
This guide walks through configuring AWS to trust Cube's OIDC issuer and
8-
shows the trust policies for the most common targets — Athena, an S3 export
9-
bucket, Cube Store CSPS, and Bedrock for bring-your-own LLM.
8+
shows the trust policies for the most common targets — Athena, Redshift, an
9+
S3 export bucket, Cube Store CSPS, and Bedrock for bring-your-own LLM.
1010

1111
If you haven't enabled OIDC for your tenant yet, start with the
1212
[OIDC overview][ref-oidc-overview].
@@ -257,6 +257,59 @@ results from your S3 results bucket.
257257
</Step>
258258
</Steps>
259259

260+
## Redshift
261+
262+
Configure an IAM role that can obtain temporary Redshift database
263+
credentials. The Redshift driver uses the deployment's federated identity
264+
to call `redshift:GetClusterCredentialsWithIAM` — no database password is
265+
stored anywhere.
266+
267+
<Steps>
268+
<Step title="Create the IAM role">
269+
Use the same trust policy shape as [Athena](#athena) — federated
270+
principal, `aud` pinned to `sts.amazonaws.com`, and `sub` pinned to your
271+
deployment.
272+
</Step>
273+
<Step title="Attach the Redshift permissions">
274+
The role needs to fetch temporary credentials and describe the cluster:
275+
276+
```json
277+
{
278+
"Version": "2012-10-17",
279+
"Statement": [
280+
{
281+
"Effect": "Allow",
282+
"Action": [
283+
"redshift:GetClusterCredentialsWithIAM",
284+
"redshift:DescribeClusters"
285+
],
286+
"Resource": "*"
287+
}
288+
]
289+
}
290+
```
291+
292+
Tighten `Resource` to your cluster and database ARNs in production.
293+
</Step>
294+
<Step title="Configure the deployment">
295+
Set the Redshift driver env vars for [IAM
296+
authentication][ref-redshift-driver-iam] and omit `CUBEJS_DB_USER` /
297+
`CUBEJS_DB_PASS`. With `AWS_ROLE_ARN` in place, the driver assumes the
298+
role via OIDC federation and exchanges it for temporary database
299+
credentials:
300+
301+
```dotenv
302+
CUBEJS_DB_TYPE=redshift
303+
AWS_ROLE_ARN=arn:aws:iam::<aws-account-id>:role/cube-deployment-<tenant-name>
304+
CUBEJS_DB_HOST=my-cluster.xxx.us-east-1.redshift.amazonaws.com
305+
CUBEJS_DB_NAME=my_database
306+
CUBEJS_DB_SSL=true
307+
CUBEJS_DB_REDSHIFT_AWS_REGION=us-east-1
308+
CUBEJS_DB_REDSHIFT_CLUSTER_IDENTIFIER=my-cluster
309+
```
310+
</Step>
311+
</Steps>
312+
260313
## S3 export bucket
261314

262315
If your data source uses an [export bucket][ref-export-bucket] for
@@ -540,3 +593,4 @@ authenticating against which roles.
540593
[ref-cube-cloud-region]: /admin/deployment/infrastructure#what-is-a-cube-cloud-region
541594
[ref-export-bucket]: /admin/connect-to-data#export-bucket
542595
[ref-athena-assume-role]: /admin/connect-to-data/data-sources/aws-athena#environment-variables
596+
[ref-redshift-driver-iam]: /admin/connect-to-data/data-sources/aws-redshift#iam-authentication

0 commit comments

Comments
 (0)