I am able to make Athena queries through the AWS CLI. This requires me to assume a role first (I use awsume
). The role requires MFA.
Now I want to configure Datagrip for this as well. However there are two options for authenticating:
- User/pass – I can put in my AWS key ID and secret, but I think it would fail without the MFA token as well (there is no field for it in Datagrip 2021.1).
- AWS profile – I figured out what to put into "Profile" – it's the
source_profile
in my role's profile in my~/.aws/config
. However, I can't figure out what to put underUser
.
If I put in:
- The name of the role's profile
- The name of the role
- The ARN of the role
- My AWS username
They all fail with the error:
The specified database user/password combination is rejected: [HY000][100071] [Simba]AthenaJDBC An error has been thrown from the AWS Athena client. User: arn:aws:iam::[NUMBER]:user/[MYUSERNAME] is not authorized to perform: athena:ListDataCatalogs [Execution ID not available]
com.simba.athena.amazonaws.services.athena.model.AmazonAthenaException: User: arn:aws:iam::[NUMBER]:user/[MYUSERNAME] is not authorized to perform: athena:ListDataCatalogs (Service: AmazonAthena; Status Code: 400; Error Code: AccessDeniedException; Request ID: [UUID]; Proxy: null
I get this same error, with my username, even if I put in the role as a User
in the Datagrip dialog box.
Best Answer
I ended up solving this by using a named profile in credentials.
awsume has an option to write the credentials to the file:
awsume -o default role-profile-name
will write them as[default]
in~/.aws/credentials
.Then in Datagrip, I configured the connection to use
default
as the profile. The username is apparently not used and can be anything (at least in my case).For details, see https://aws.amazon.com/premiumsupport/knowledge-center/athena-iam-jdbc-driver/