Workbench-managed Credentials
Posit Workbench includes several integrations which enable you to make use of credentials associated with various cloud and compute provider services. These credentials are managed by Workbench so that you do not have to store them in plain text in code or configuration files, or manually define environment variables.
Workbench supports credentials for some of the most popular cloud providers and data platforms, with support in specific session types outlined below:
| Provider | RStudio Pro | VS Code | JupyterLab | Jupyter Notebook |
|---|---|---|---|---|
| AWS | ✅ | ✅ | ❌ | ❌ |
| Azure | ✅ | ❌ | ❌ | ❌ |
| Databricks | ✅ | ✅ | ❌ | ❌ |
| Snowflake | ✅ | ✅ | ❌ | ❌ |
Managed credentials have a number of benefits:
- Users arrive in a session to find that official platform tools like CLIs, SDKs, and drivers work without needing a separate step to configure credentials.
- Administrators no longer need to accept blanket access to an overloaded instance profile (or an equivalent) by all Workbench users so that they can access Cloud-based resources.
- Users do not need to manage sensitive, long-lived credentials themselves to have individually-scoped permissions.
- Administrators can grant or revoke granular access for individuals directly at the provider level, rather than through an out-of-band configuration mechanism.
AWS credentials
Workbench can provide user-specific AWS credentials for sessions tied to their Single Sign-On credentials. Workbench uses the AWS web identity federation mechanism to set these credentials in individual sessions. This mechanism also powers AWS integrations like IAM Roles for Service Accounts (the recommended IAM solution for Kubernetes) and GitHub Actions.
For more information about enabling this feature, see the Posit Workbench Administration Guide: AWS credentials section.
Azure credentials
When Workbench is configured to use Microsoft Entra ID for Single Sign-On (SSO), users can also be granted delegated permissions for additional Azure resources without needing to sign in again. See Microsoft Entra ID (formerly Azure Active Directory) and the Understanding delegated access sections of Microsoft’s website for more information on delegating credentials with Entra ID.
These delegated credentials eliminate the need for end users to manage complex authentication workflows when accessing Azure services from within Workbench.
And while the most common delegated permissions are to access Azure services themselves (such as object storage or one of their cloud-backed databases), the same mechanism can be used to grant access to any third-party application in the same Entra ID tenant.
For more information about enabling this feature, see the Posit Workbench Administration Guide: Azure credentials section.
Databricks
Workbench includes an integration with Databricks Unified Authentication, including authentication and authorization with Databricks via OAuth2 on AWS, or Azure.
For more information, see the Workbench-managed Databricks Credentials section of the User Guide. To learn about the Databricks Pane and Connections Pane integration for RStudio Pro, see the Databricks in RStudio Pro section.
Snowflake credentials
Snowflake roles are supported when Snowflake accounts are configured within Workbench and authenticate via OAuth2. The Snowflake integration in Workbench provides a few additional controls in the Edit Credentials dialog, discussed in the Workbench-managed Snowflake Credentials section.
Starting a Session with Workbench-managed credentials
The Credential Selection Widget
If your administrator has configured and enabled one or more cloud provider integrations, a new widget displays in the New Session dialog. This allows you to select multiple credentials – one per provider – to use for the new session. More controls are available in the Edit Credentials dialog. See the The Edit Credentials Dialog section below for more information.
By default, any cloud provider with a valid credential is automatically selected for use with the new session. Credentials are considered “in use” if the corresponding button is blue with a check mark in the corner. You can toggle a credential on or off by clicking the button. For providers that require authentication, the logo is either greyed out or colored to indicate the authentication status. An empty circle in the corner with no check mark means that the credential is ready to be enabled.
If a lock is displayed, then that credential is not authenticated yet. You can click on the button to sign in and begin the authentication flow. The widget shows a pending indicator while authentication is in progress.
Pending sign-ins can be canceled by opening the “Edit Credentials” dialog and clicking on the “X” button next to that provider.
One credential from each provider can be enabled at once, provided that they are all authenticated and valid.
For providers that allow multiple credentials, click the drop-down arrow on the right side of the selection button to display a list. If you select a credential from the list that is not yet authenticated, the cloud provider is toggled off automatically to prevent use of an invalid selection.
The Edit Credentials dialog
The Edit Credentials dialog provides extra control over the quick-selection process of the selection widget. The “Edit Credentials” button opens this dialog, which displays all cloud providers, including those which are not configured for use.
Any configured provider that supports authentication can be signed in from here. Select a credential from the drop-down and click “Sign In” to begin the authentication flow. Cancel the sign-in process by clicking the “X” button shown previously.
If an error occurs during authentication, a message is displayed to the user and a “Retry” option is available to attempt to sign-in again.
