How can I use my IAM role credentials or switch to another IAM role when connecting to Athena using the JDBC driver?

4 minute read

I want to use an AWS Identity and Access Management (IAM) role to connect to Amazon Athena through the JDBC driver. Or, I want to switch to another IAM role before I connect to Athena through the JDBC driver.

Resolution

Use IAM role credentials to connect to the Athena JDBC driver

Retrieve the role's temporary credentials. The process for retrieving the temporary credentials depends on how you assume the role.

Assuming the role with a SAML Identity provider: Active Directory Federation Services (AD FS) 3.0, Okta, PingFederate, and Azure AD are the only SAML 2.0 identity providers that are directly supported in the Athena JDBC driver. If you assume the role with a different identity provider, then use the assume-role-with-saml command to get the temporary credentials.
Assuming a different role in your account: If you assume another role in the same AWS account, then use assume-role to get the temporary credentials.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

For more information, see Using IAM roles and review the Comparing methods for using roles table.

The temporary credentials contain the session token, access key ID, and secret access key. These three credentials are required for authenticating the JDBC connection to Athena. Keep in mind that the temporary credentials have a maximum lifespan of 12 hours.

On the machine where the Athena JDBC driver is installed, save the temporary credentials to the AWS credentials file (~/.aws/credentials) as a named profile. For more information, see Configuration and credential file settings.

Here's an example of temporary credentials that are stored in an AWS CLI profile named testprofile:

[testprofile]
aws_access_key_id=ASIAXXXXXXXXX
aws_secret_access_key=XXXXXXXX
aws_session_token=XXXXXXXXXXXXXXXXXX

To connect to Athena with the JDBC driver, specify the profile name in the JDBC connection string (for example: jdbc:awsathena://AwsRegion=us-west-2;Profile=testprofile;). Or, set the profile name in Profile JDBC configuration property.

Note: The Profile JDBC configuration property is available in Athena JDBC driver versions 2.0.6 and later. To get the latest JDBC driver, see Connecting to Amazon Athena with JDBC.

Switch to a different IAM role and then connect to the Athena JDBC driver

To switch roles before connecting to the Athena JDBC driver, use the source_profile option in the named profile:

On the machine where the Athena JDBC driver is installed, add a named profile to the AWS CLI credentials file (~/.aws/credentials). For more information about creating named profiles, see Using named profiles. The profile must include these properties:

role_arn: the Amazon Resource Name (ARN) of the role that you want to assume
source_profile: a profile that contains the credentials of an IAM user or an IAM role that has permissions to assume the role

For example, to assume a role named testrole that has the ARN arn:aws:iam::123456789012:role/testrole, create a named profile like this:
```
[switchroletest]
role_arn=arn:aws:iam::123456789012:role/testrole
source_profile=default
```
In this example, the default profile contains the credentials of an IAM user or role with permissions to assume testrole:
```
[default]
aws_access_key_id=ASIAXXXXXXXXX
aws_secret_access_key=XXXXXXXX
aws_session_token=XXXXXXXXXXXXXXXXXX
```
Note: AWS CLI supports specifying source_profile in the AWS CLI config file (/.aws/config) and user credentials in a separate AWS CLI credentials file (~/.aws/credentials). However, the Athena JDBC driver supports reading credentials only from the AWS CLI credentials file. Because of this limitation, must place these profiles in the same AWS CLI credentials file (/.aws/credentials). Also, don't prefix them with profile. The Athena JDBC driver doesn't support using credential_source = Ec2InstanceMetadata in named profiles.
To connect to Athena with the JDBC driver, specify the profile name in the JDBC connection string (for example: jdbc:awsathena://AwsRegion=us-west-2;Profile=switchroletest;). Or, set the profile name in Profile JDBC configuration property.

Related information

Requesting temporary security credentials

Simba Athena JDBC driver with SQL connector installation and configuration guide (version 2.0.9)

Switching to an IAM role (AWS CLI)

Using an IAM role in the AWS CLI

Topics

Analytics

Relevant content

Connecting to Athena using JDBC driver from a Spring Java application
info2anu
asked 3 years ago
Accessing Amazon Athena over JDBC with an IAM role
Accepted Answer
AWS-User-4146365
asked 4 years ago
IAM Role/profile support with Athena ODBC Connector
repost_user_1342
asked a year ago
Using credential process for IAM Roles Anywhere in springboot application
rePost-User-4334793
asked a year ago
Connection getting hung when using Simba JDBC to connect to Athena
Neo
asked 7 months ago
How can I troubleshoot the error "An error occurred while communicating with Amazon Athena" when connecting to Athena with a JDBC or ODBC driver?
AWS OFFICIALUpdated 10 months ago
Why is my Amazon EC2 instance using IAM user credentials instead of role credentials?
AWS OFFICIALUpdated 9 months ago
How do I use Athena drivers to troubleshoot Tableau connectivity?
AWS OFFICIALUpdated 19 days ago
How can I resolve issues with switching IAM roles using the AWS Management Console?
AWS OFFICIALUpdated 10 months ago
Use IAM tags to enable fine-grained federated authentication to Redshift Serverless
EXPERT
Poulomi_DG
published 10 months ago