2

I am able to make Athena queries through the AWS CLI. This requires me to assume a role first (I use awsume). The role requires MFA.

Now I want to configure Datagrip for this as well. However there are two options for authenticating:

  • User/pass - I can put in my AWS key ID and secret, but I think it would fail without the MFA token as well (there is no field for it in Datagrip 2021.1).
  • AWS profile - I figured out what to put into "Profile" - it's the source_profile in my role's profile in my ~/.aws/config. However, I can't figure out what to put under User.

If I put in:

  • The name of the role's profile
  • The name of the role
  • The ARN of the role
  • My AWS username They all fail with the error:

The specified database user/password combination is rejected: [HY000][100071] [Simba]AthenaJDBC An error has been thrown from the AWS Athena client. User: arn:aws:iam::[NUMBER]:user/[MYUSERNAME] is not authorized to perform: athena:ListDataCatalogs [Execution ID not available]

com.simba.athena.amazonaws.services.athena.model.AmazonAthenaException: User: arn:aws:iam::[NUMBER]:user/[MYUSERNAME] is not authorized to perform: athena:ListDataCatalogs (Service: AmazonAthena; Status Code: 400; Error Code: AccessDeniedException; Request ID: [UUID]; Proxy: null

I get this same error, with my username, even if I put in the role as a User in the Datagrip dialog box.

mustaccio
  • 28,207
  • 24
  • 60
  • 76
Haterind
  • 151
  • 1
  • 5

1 Answers1

3

I ended up solving this by using a named profile in credentials.

awsume has an option to write the credentials to the file: awsume -o default role-profile-name will write them as [default] in ~/.aws/credentials.

Then in Datagrip, I configured the connection to use default as the profile. The username is apparently not used and can be anything (at least in my case).

For details, see https://aws.amazon.com/premiumsupport/knowledge-center/athena-iam-jdbc-driver/

Haterind
  • 151
  • 1
  • 5