How can I use my IAM role credentials or switch to another IAM role when connecting to Athena using the JDBC driver?
Last updated: 2020-04-20
I want to use an AWS Identity and Access Management (IAM) role to connect to Amazon Athena through the JDBC driver. Or, I want to switch to another IAM role, either in my AWS account or in a different account, before connecting to Athena through the JDBC driver.
Use IAM role credentials to connect to the Athena JDBC driver
Retrieve the role's temporary credentials. The process for retrieving the temporary credentials depends on how you assume the role:
- Assuming the role with a SAML Identity provider: Active Directory Federation Services (AD FS) 3.0 and Okta are the only SAML 2.0 identity providers that are directly supported in the Athena JDBC driver. If you assume the role with a different identity provider, use the assume-role-with-saml command to get the temporary credentials.
- Assuming a different role in your account: If you assume another role in the same AWS account, use assume-role to get the temporary credentials.
For more information, see Using IAM Roles and review the Comparing methods for using roles table.
The temporary credentials contain the session token, access key ID, and secret access key. These three credentials are required for authenticating the JDBC connection to Athena. Keep in mind that temporary credentials have a maximum lifespan of 12 hours.
1. On the machine where the Athena JDBC driver is installed, save the temporary credentials to the AWS credentials file (~/.aws/credentials) as a named profile. For more information, see Configuration and Credential File Settings.
Here's an example of temporary credentials that are stored in an AWS Command Line Interface (AWS CLI) profile named testprofile:
[testprofile] aws_access_key_id=ASIAXXXXXXXXX aws_secret_access_key=XXXXXXXX aws_session_token=XXXXXXXXXXXXXXXXXX
2. To connect to Athena with the JDBC driver, specify the profile name in the JDBC connection string (for example: jdbc:awsathena://AwsRegion=us-west-2;Profile=testprofile;). Or, set the profile name in Profile JDBC configuration property.
Switch to different IAM role and then connect to the Athena JDBC driver
To switch roles before connecting to the Athena JDBC driver, use the source_profile option in the named profile:
1. On the machine where the Athena JDBC driver is installed, add a named profile to the AWS CLI credentials file (~/.aws/credentials). For more information about creating named profiles, see Named Profiles. The profile must include these properties:
role_arn: the Amazon Resource Name (ARN) of the role that you want to assume
source_profile: a profile that contains the credentials of an IAM user or an IAM role that has permissions to assume the role
For example, to assume a role named testrole that has the ARN arn:aws:iam::123456789012:role/testrole, create a named profile like this:
[switchroletest] role_arn=arn:aws:iam::123456789012:role/testrole source_profile=default
In this example, the default profile contains the credentials of an IAM user or role that has permissions to assume testrole:
[default] aws_access_key_id=ASIAXXXXXXXXX aws_secret_access_key=XXXXXXXX aws_session_token=XXXXXXXXXXXXXXXXXX
If the JDBC driver is installed on an Amazon Elastic Compute Cloud (Amazon EC2) instance, the source_profile can be the instance profile (Ec2InstanceMetadata). In this scenario, the EC2 instance first assumes testrole, and then uses testrole's credentials for authentication in the Athena JDBC driver. Example:
[switchroletest] role_arn=arn:aws:iam::123456789012:role/testrole source_profile=Ec2InstanceMetadata
2. To connect to Athena with the JDBC driver, specify the profile name in the JDBC connection string (for example: jdbc:awsathena://AwsRegion=us-west-2;Profile=switchroletest;). Or, set the profile name in Profile JDBC configuration property.