Using the JWT_TIP Credentials Provider for IAM Identity Center

You can configure the connector to authenticate the connection using credentials obtained through the JWT Trusted Identity Propagation (JWT-TIP) credentials provider. JWT-TIP allows the connector to exchange a JSON Web Token (JWT) issued by an external identity provider for AWS Identity Center–authorized access to Athena. To do this, you must specify information such as the Web Identity Token, Application Role ARN, Access Role ARN, Identity Center Application ARN, and Role Session Name.

To configure authentication using JWT-TIP in Windows:

1. Open the ODBC Data Source Administrator where you created the DSN, select the DSN, click Configure, and then click Authentication Options.
2. From the Authentication Type drop-down list, select JWT_TIP.
3. In the Web Token field, enter the JWT obtained from your external identity provider. This token is exchanged by AWS STS during JWT-TIP authentication to obtain temporary AWS credentials.
4. In the IDC Application ARN field, type the customer-managed IAM Identity Center application ARN.
5. In the Application Role ARN field, type the ARN of the IAM role used to perform the JWT token exchange. This role must include a trust policy that allows your external OIDC/JWT provider to call sts:AssumeRoleWithWebIdentity.
6. In the Access Role ARN field, type the ARN of the IAM role that Athena should assume after the token exchange to make AWS API calls. This role must have permissions to run Athena queries and access required Amazon S3 and AWS Glue resources.
7. Optionally , in the Role Session Name field, type a friendly name for the AWS STS session.
8. Optionally, in the Session Duration field, type the duration (in seconds) for the temporary AWS credentials.
9. Click OK to save your settings.