Is your feature request related to a problem? Please describe.
Cube's Redshift driver uses pg, which can't carry an AWS Identity Center (IdC) identity into Redshift. So Redshift always sees the shared IAM role Cube connects with, never the real user. That kills Lake Formation policies tied to IdC users/groups — even when trusted identity propagation is fully set up on AWS, Cube is the ceiling.
Describe the solution you'd like
A dataApi: true mode that swaps pg for @aws-sdk/client-redshift-data. The SDK supports IdC trusted identity propagation natively, so Redshift sees the real user and LF policies just work. Same pattern as the existing Athena driver.
Describe alternatives you've considered
dataSources multi-role routing: per-group only, no user identity.- Bypass Cube via Data API directly: loses the semantic layer.
- Custom driver fork: weeks of work, ongoing maintenance.
Additional context
TIP for Redshift · Redshift IdC auth · LF IdC integration. Affects anyone running Cube on JC/Okta/Entra → IdC → Redshift + LF. Happy to contribute a PR.
Is your feature request related to a problem? Please describe.
Cube's Redshift driver uses
pg, which can't carry an AWS Identity Center (IdC) identity into Redshift. So Redshift always sees the shared IAM role Cube connects with, never the real user. That kills Lake Formation policies tied to IdC users/groups — even when trusted identity propagation is fully set up on AWS, Cube is the ceiling.Describe the solution you'd like
A
dataApi: truemode that swapspgfor@aws-sdk/client-redshift-data. The SDK supports IdC trusted identity propagation natively, so Redshift sees the real user and LF policies just work. Same pattern as the existing Athena driver.Describe alternatives you've considered
dataSourcesmulti-role routing: per-group only, no user identity.Additional context
TIP for Redshift · Redshift IdC auth · LF IdC integration. Affects anyone running Cube on JC/Okta/Entra → IdC → Redshift + LF. Happy to contribute a PR.