Set Up Amazon Redshift IAM Identity Center OAuth

Important: The Redshift ODBC driver currently deployed to Tableau Cloud does not support OAuth. The next release of the driver from Amazon, which will includes fixes, is scheduled for early April. This should be deployed to Tableau Cloud several weeks later.

Until then if you want to use IAM IDC OAuth for Redshift on Tableau Cloud, you can use the latest 2.x version of the driver with Tableau Bridge with the following limitations:

  • The Linux build of the driver only supports ascii characters in queries, schemas, and table names.

  • Both Linux and Windows builds of the 2.x driver will crash with HTTP proxies.

  • Both Linux and Windows builds have issues querying geospatial data.

Starting in Tableau 2023.3.2 for on premise (Tableau Desktop, Tableau Server, and Tableau Prep) and April 2024 for Tableau Cloud, you can use OAuth 2.0/OIDC to federate identity from an external identity provider to Amazon Redshift. Tableau Bridge can be used as a workaround on Tableau Cloud until a driver is available. For more information on Bridge, see Use Bridge to Keep Data Fresh.

Note: This feature is not available for OSX because of driver limitations.

These instructions are for the newer AWS IAM IDC service. For original IAM integration see Set Up Amazon Redshift IAM OAuth.

Depending on the identity provider, there are different steps needed to configure the integration. This is a high level overview. Tableau cannot provide detailed instructions for how to configure AWS or the IDP, but this is the general approach.

Configure the IDP

  1. Create OAuth clients on the IDP for Tableau Desktop and Tableau Server or Tableau Cloud. The Desktop client should enable PKCE and use http://localhost redirects.

  2. Add any required custom claims to use for authorization to roles.

  3. Create the Tableau OAuth config files. See documentation on GitHub(Link opens in a new window), and examples(Link opens in a new window). We welcome examples for other IDPs.

    1. Be sure to prefix the Tableau OAuth config IDs with “custom_”.

    2. If your IDP supports dynamic localhost port then disable OAUTH_CAP_FIXED_PORT_IN_CALLBACK_URL. If it does not, make sure to add several localhost callback URLs to the allowlist in the config file and on the IDP.

  4. Install Tableau OAuth config files on desktop machines and Tableau Server or Tableau Cloud sites.

Step 2: Configure IDP and Roles on AWS

See your AWS documentation for information on doing this.

Step 3: Connect to Redshift

  1. Connect to Redshift.

  2. Select OAuth for Authentication.

  3. Select Identity Center for Federation Type.

  4. (Optional) Specify the Identity Center Namespace if necessary.

When correctly configured, you will be redirected to the IDP to authenticate and authorize tokens for Tableau. Tableau will receive an access token and refresh tokens. It will send the access token to the driver for authentication.


If you are using Okta, it's better to use a "custom authorization server" instead of the "org authorization server." The custom authorization servers are more flexible. A custom authorization server is created by default and called "default". The authorization URL should look like this:


Update the driver

For Redshift OAuth using IAM IDC service, you must use the Redshift ODBC driver starting with version, which can be downloaded from opens in a new window). Note there is no v2 driver for OSX.

Troubleshooting Redshift IAM IDC OAuth

If you see an error message about invalid/expired token coming from the driver on the first connection (it will have a SQLState error code like [28000] or [08001] in the error message), then Tableau successfully completed the OAuth flow, and failed in the driver. This means there is a misconfiguration on either the AWS side or the IDP side. There may also be permissions or authorization errors returned from the driver, which is also out of Tableau's control.

The best way to diagnose these errors is to remove Tableau from the picture. You first need to get an access token (the default for IAM IDC) or refresh token (if customized) to send to the driver.

Here is an example with Okta. Almost all IDPs have a way to do this which is quite similar. Note that to use this flow you need to have enabled resource owner password grant type. Substitute the IDP URL, client secret, client ID, username, and password.

curl -X POST "https://OKTA_URL/v1/token" \
-H 'accept: application/json' \
-H "Authorization: Basic $(echo -n 'CLIENTID:CLIENTSECRET' | base64)" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password&username=USER&password=PASSWORD&scope=openid"

Once you have the token, you can use a DSN to test. Below is an example of using the ODBC driver manager on Windows. On Mac you can use the iODBC driver manager UI. On Linux you can use the isql command line tool that is included with Tableau Server in the customer-bin folder.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!