Using the JWT Credentials Provider

You can configure the connector to authenticate the connection using the JSON Web Token (JWT) credentials provider, which obtains credentials from the JWT service. To do this, connect to Athena using a connection URL that includes property settings that specify information about the JWT service.

For more information, see Specifying JWT Information in the Connection URL.

Important:

If any information is included in both places, the information specified directly in the connection URL takes precedence over the information in the profile.

When the connector connects to Athena, it retrieves temporary credentials from the JWT identity provider. If these credentials are associated with an IAM role that has permission to access Athena, the connector immediately uses these credentials to authenticate the connection to Athena. Otherwise, you must exchange the temporary credentials for more specialized AWS credentials, which can then be used to authenticate the connection. For post-SAML workflows such as exchanging temporary credentials for specialized ones, the connector provides a post-SAML workflow hook. For more information, see Using the Post-SAML Workflow Hook.

Specifying JWT Information in the Connection URL

In your connection URL, set the following properties:

Note: Some properties can be set through aliases, as described below. If you specify both a property name and its alias, the setting associated with the property name takes precedence.

To specify JWT information in the connection URL:

  • In your connection URL, set the following properties:
    PropertyValue

    AWSCredentialsProviderClass

    As alternatives, you can configure this property using the aliases aws_credentials_provider_class or plugin_name. If you specify both aliases, the setting associated with aws_credentials_provider_class takes precedence.

    The FQCN that implements the Ping credentials provider.

    web_identity_tokenn

    The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity provider. Make sure that your application gets this token by authenticating the user who is using your application with a web identity provider.

    role_arn

    The Amazon Resource Name (ARN) of the role that you want to assume when authenticated through JWT.

    role_session_name

    AthenaJWT

    Example of a connection URL with JWT:

    jdbc:awsathena:AwsRegion=us-east-2;S3OutputLocation=s3:test-athena-output-us-east-2/;plugin_name=com.simba.athena.iamsupport.plugin.JwtCredentialsProvider;web_identity_token=eyJhbGciOiJSUzI1NiIsImtpZCI6ImQ2M2RiZTczYWFkODhjODU0ZGUwZDhkNmMwMTRjMzZkYzI1YzQyOTIiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiI5MTUxODE3NTE0NS1hdTRib2I4MmE2M2lidWZqMnBoNjQ0MDdodWE0bDVtdi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF1ZCI6IjkxNTE4MTc1MTQ1LWF1NGJvYjgyYTYzaWJ1ZmoycGg2NDQwN2h1YTRsNW12LmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwic3ViIjoiMTEwMDU0MjA0OTk2MTAzMDUxMjUxIiwiZW1haWwiOiJyZWRzaGlmdHdpcmVwcm90b2NvbEBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXRfaGFzaCI6IkxhWGQ5UGNlSlJpZ3Q5WUZkUktVNHciLCJpYXQiOjE2NDc0Mzg3NDUsImV4cCI6MTY0NzQ0MjM0NX0.ku256EbVQMXBWgj8pgca-NIg_xOjlxtzxqyxjQCs-QjkC7mbcfjNBNPUReVJLvfWGnNuW917l8Nw_y0iOggVB-NzW4HYpv091zXYpQ9q8IvQmoFkgu78mchLirDD-PyAKXxs-X-HV12UID7OJqiB65iig_RqTcupjXPZIu_C5jfkl3Pk8ZdIrOVFlXb2Pl7jP8SfbdgpbnOnkOPFWAzFwRcAF4OmmHkVc1MJoVKP190eft2dcmm6_-oFJU4j4HXPaKoJSp8kGipc92MtoK35oD4etZAbO99l0N9oEzDZEf2tzcAn-HmDq2-3iOtwconWOYNgxUWZGJuh2qCx4gq1ow;role_arn=arn:aws:iam::187862086336:role/AthenaJWTRoleGoogle;role_session_name=AtenaJWT;

    When you connect to Athena, the connector retrieves temporary credentials from the JWT. If these credentials are not associated with an IAM role that has permission to access Athena, then you must exchange them for more specialized AWS credentials before the connector can authenticate the connection. For information about how to complete this process, see Using the Post-SAML Workflow Hook.