Does Looker support IAM Roles based authentication for Athena in Looker?

Knowledge Drop

Last tested: Nov 14, 2017
 

This isn't possible at the moment. User will need to enter the ID and secret for the role in the connection instead.

This content is subject to limited support.                

Comments
_AJ
Explorer

@maxcorbin, any update on this yet ? 

Victor_P
Staff

If your organization self-hosts Looker on AWS EC2 instances (i.e. your Looker is “on-prem”) then this type of connection authentication is possible. The key is to pass certain properties to the Additional Params field in the Looker connection setup page. Namely:

AwsCredentialsProviderClass=com.simba.athena.amazonaws.auth.InstanceProfileCredentialsProvider;
 

If you need to pass S3 output configurations as well, the full string might look like this:

AwsCredentialsProviderClass=com.simba.athena.amazonaws.auth.InstanceProfileCredentialsProvider;S3OutputLocation=s3://<bucket name>;S3OutputEncKMSKey=<key arn>;S3OutputEncOption=SSE_KMS

If you use a proxy server to connect to Athena, check out the ProxyDomain, ProxyHost, and ProxyPort params as well. The full list of available connection options (including several authentication modes), is given in the AWS Athena JDBC Driver documentation page.

Unfortunately this method does not work for cloud-hosted Looker instances in AWS due to the hosting architecture.

Version history
Last update:
‎06-14-2021 06:16 PM
Updated by: