How do I use my IAM role credentials or switch to another IAM role when I use the JDBC driver to connect to Amazon Athena?

4 minute read

I want to use an AWS Identity and Access Management (IAM) role credentials to authenticate the JDBC driver connection to Amazon Athena. Or, I want to switch to another IAM role before I use the JDBC driver to connect to Amazon Athena.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Use IAM role credentials to connect to the Athena JDBC driver

Retrieve the role's temporary credentials. The process to retrieve the temporary credentials is different based on how you assume the role.

You use an SAML identity provider to assume the role

Active Directory Federation Services (AD FS) 3.0, Okta, PingFederate, and Microsoft Entra ID are the only SAML 2.0 identity providers that are directly supported in the Athena JDBC driver. If you use a different identity provider to assume the role, then run the assume-role-with-saml command to get the temporary credentials.

You assume a different role in your account

If you assume another role in the same AWS account, then run the assume-role command to get the temporary credentials.

For more information, see Methods to assume a role.

The temporary credentials contain the session token, access key ID, and secret access key that are required to authenticate the JDBC connection to Amazon Athena.

Note: The temporary credentials are valid only for 12 hours.

Save the temporary credentials on your machine to the ~/.aws/credentials AWS credentials file as a named profile. For more information, see Configuration and credential file settings in the AWS CLI.

The following is an example of temporary credentials that are stored in an AWS CLI profile that's named testprofile:

[testprofile]aws_access_key_id=ASIA#########
aws_secret_access_key=########
aws_session_token=##################

To use the JDBC driver to connect to Amazon Athena, specify the profile name in the JDBC connection string, for example jdbc:awsathena://AwsRegion=us-west-2;Profile=testprofile;. Or, set the profile name in the Profile JDBC configuration property.

Note: The Profile JDBC configuration property is available in Athena JDBC driver versions 2.0.6 and later. To get the latest JDBC driver, see Connect to Amazon Athena with JDBC.

Switch to a different IAM role, and then connect to the Athena JDBC driver

To switch roles before you connect to the Athena JDBC driver, use the source_profile option in the named profile.

On your machine, add a named profile to the ~/.aws/credentials AWS CLI credentials file. For more information, see Using named profiles.

The profile must include the following properties:

role_arn: ARN of the role that you want to assume.
source_profile: A profile that contains the credentials of an IAM user or an IAM role that has permissions to assume the role.

The following is an example configuration to assume a role that's named testrole that has the ARN arn:aws:iam::123456789012:role/testrole:

[switchroletest]role_arn=arn:aws:iam::123456789012:role/testrole
source_profile=default

In the following example, the default profile contains the credentials of an IAM user or role with permissions to assume testrole:

[default]aws_access_key_id=ASIA#########
aws_secret_access_key=########
aws_session_token=##################

Note: The AWS CLI lets you specify source_profile in the /.aws/config AWS CLI configuration file and user credentials in a separate AWS CLI credentials file. However, the Athena JDBC driver can read credentials only from the AWS CLI credentials file. Because of this limitation, you must place the profiles in the same AWS CLI credentials file. Also, don't use the profile prefix for the profiles.

To use the JDBC driver to connect to Athena, specify the profile name in the JDBC connection string, for example jdbc:awsathena://AwsRegion=us-west-2;Profile=switchroletest;. Or, set the profile name in the Profile JDBC configuration property.

Related information

Request temporary security credentials

Simba Athena JDBC driver with SQL connector installation and configuration guide (version 2.0.9)

Switch to an IAM role (AWS CLI)

Using an IAM role in the AWS CLI

Topics: Analytics
Tags: Amazon Athena
Language: English

AWS OFFICIALUpdated a year ago

2 Comments

However, the Athena JDBC driver supports reading credentials only from the AWS CLI credentials file. Because of this limitation, the profiles in the preceding examples must be placed in the same AWS CLI credentials file (~/.aws/credentials)

Has this limitation been addressed yet? How can we make use of credential profiles defined in ~/.aws/config and credentials obtained via aws sso login --profile myprofilename

rePost-User-4771211

replied 3 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

MODERATOR

AWS Official

replied 3 years ago

Relevant content

Accessing Amazon Athena over JDBC with an IAM role
Accepted Answer
AWS-User-4146365
asked 6 years ago
How can I connect to s3 table bucket using athena jdbc driver v3?
Matt
asked a year ago
IAM Role/profile support with Athena ODBC Connector
rePost-User-8252546
asked 3 years ago
Connecting to Athena using JDBC driver from a Spring Java application
info2anu
asked 5 years ago
Using Simba JDBC Driver for Athena in ReadyAPI (SoapUI)
Accepted Answer
mfk
asked 3 years ago
How can I troubleshoot the error "An error occurred while communicating with Amazon Athena" when connecting to Athena with a JDBC or ODBC driver?
AWS OFFICIALUpdated 3 years ago
How do I activate debug logs in my Athena JDBC/ODBC driver?
AWS OFFICIALUpdated 2 years ago
How do I use Athena drivers to troubleshoot Tableau connectivity?
AWS OFFICIALUpdated 9 months ago
How do I upgrade my Amazon Redshift JDBC or ODBC driver?
AWS OFFICIALUpdated a year ago
How to Use a Dedicated IAM Role with the EFS CSI Driver Node Component in Amazon EKS Using Pod Identity
EXPERT
JLT_W
published 18 days ago