Using the Azure AD Credentials Provider

You can configure the connector to authenticate the connection using the Azure AD credentials provider, which obtains credentials from the Azure AD identity provider. To do this, connect to Athena using a connection URL that does either of the following:

  • Includes property settings that specify information about the Azure AD service. For more information, see Specifying Azure AD Information in the Connection URL
  • Refers to an AWS profile that specifies information about the Azure AD service. For more information, see Specifying Azure AD Information in an AWS Profile.
    Important:
    • If any information is included in both places, the information specified directly in the connection URL takes precedence over the information in the profile.
    • If the connection URL refers to an AWS profile, then the AWSCredentialsProviderClass property must be specified in the profile instead of the connection URL.

When the connector connects to Athena, it retrieves temporary credentials from the Azure AD identity provider. If these credentials are associated with an IAM role that has permission to access Athena, the connector immediately uses these credentials to authenticate the connection to Athena. Otherwise, you must exchange the temporary credentials for more specialized AWS credentials, which can then be used to authenticate the connection. For post-SAML workflows such as exchanging temporary credentials for specialized ones, the connector provides a post-SAML workflow hook. For more information, see Using the Post-SAML Workflow Hook.

Specifying Azure AD Information in the Connection URL

In your connection URL, set properties to specify information such as the host and port of the server where the Azure AD service is hosted.

If your connection URL also specifies an AWS profile that contains some Azure AD information, then the settings specified directly in the URL take precedence over the Azure AD information in the profile, and the AWSCredentialsProviderClass property must be specified in the profile instead of the connection URL.

Note: Some properties can be set through aliases, as described below. If you specify both a property name and its alias, the setting associated with the property name takes precedence.

To specify Azure AD information in the connection URL:

  • In your connection URL, set the following properties:
    PropertyValue

    AWSCredentialsProviderClass

    As alternatives, you can configure this property using the aliases aws_credentials_provider_class or plugin_name. If you specify both aliases, the setting associated with aws_credentials_provider_class takes precedence.

    The FQCN that implements the Azure AD credentials provider.

    User

    As an alternative, you can configure this property using the alias UID.

    The email address that you use to access the Azure AD server.

    Password

    As an alternative, you can configure this property using the alias PWD.

    The password corresponding to your email address that you specified in the User or UID property.

    tenant_idThe Azure AD-provided unique ID associated with your Athena application.
    client_secret

    The Client Secret to use when authenticating the connection using the Azure AD service.

    client_id

    The Client ID to use when authenticating the connection using the Azure AD service.

    For example:

    jdbc:awsathena://AwsRegion=us-east-1;S3OutputLocation=s3://test;AwsCredentialsProviderClass=com.simba.athena.iamsupport.plugin.AzureCredentialsProvider;UID=jsmith@acme.com;PWD=simba12345;tenant_id=xyz;client_id=xyz;client_secret=xyz;Duration=900;

    Note:

    Optionally, in the Duration field, type the duration of the role session in seconds.

    When you connect to Athena, the connector retrieves temporary credentials from Azure AD. If these credentials are not associated with an IAM role that has permission to access Athena, then you must exchange them for more specialized AWS credentials before the connector can authenticate the connection. For information about how to complete this process, see Using the Post-SAML Workflow Hook.

Specifying Azure AD Information in an AWS Profile

In your AWS credentials file, define a profile that specifies information such as the host and port of the server where the Azure AD service is hosted, and your credentials for accessing the Azure AD service. Then, in your connection URL, set the profile property to the name of that profile.

By default, the AWS credentials file is located in ~/.aws/credentials. You can change this default behavior by setting the AWS_CREDENTIAL_PROFILES_FILE environment variable to the full path and name of a different credentials file. For more information about profiles, see "Working with AWS Credentials" in the AWS SDK for Java Developer Guide: https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/credentials.html.

If any Azure AD information is also specified directly in your connection URL, those settings take precedence over the Azure AD information in the profile.

Note:

Some properties can be set through aliases, as described below. If you specify both a property name and its alias, the setting associated with the property name takes precedence.

To specify Azure AD information in an AWS profile:

  1. In your AWS credentials file, define a profile that specifies the following property settings. Start by providing the name of the profile in brackets ([ ]), and then specify each property on separate lines.
    PropertyValue

    AWSCredentialsProviderClass

    As alternatives, you can configure this property using the aliases aws_credentials_provider_class or plugin_name. If you specify both aliases, the setting associated with aws_credentials_provider_class takes precedence.

    The FQCN that implements the Azure AD credentials provider.

    User

    As an alternative, you can configure this property using the alias UID.

    The email address that you use to access the Azure AD server.

    Password

    As an alternative, you can configure this property using the alias PWD.

    The password corresponding to your email address that you specified in the User or UID property.

    tenant_idThe Azure AD-provided unique ID associated with your Athena application.
    client_secret

    The Client Secret to use when authenticating the connection using the Azure AD service.

    client_id

    The Client ID to use when authenticating the connection using the Azure AD service.

    For example, the following is an AWS profile named plug-in-creds-lambda that specifies all the required Azure AD service information:

    [plug-in-creds-azure]

    plugin_name=com.simba.athena.iamsupport.plugin.AzureCredentialsProvider

    uid=jsmith@acme.com

    pwd=simba12345

    tenant_id=xyz

    client_secret=xyz

    client_id=xyz

  2. In your connection URL, set the profile property to the name of the profile.

    For example:

    jdbc:awsathena://AwsRegion=us-east-1;S3OutputLocation=s3://test;profile=plug-in-creds-azure;

When you connect to Athena, the connector checks the AWS credentials file for the specified profile, and then uses the Azure AD information given in the profile to retrieve temporary credentials from Azure AD. If these credentials are not associated with an IAM role that has permission to access Athena, then you must exchange them for more specialized AWS credentials before the connector can authenticate the connection. For information about how to complete this process, see Using the Post-SAML Workflow Hook.