Knowledge Drop

Does Looker support IAM Roles based authentication for Athena in Looker?

  • 15 June 2021
  • 2 replies

Userlevel 3

Last tested: Nov 14, 2017

This isn't possible at the moment. User will need to enter the ID and secret for the role in the connection instead.


This content is subject to limited support.                



2 replies

@maxcorbin, any update on this yet ? 

Userlevel 2

If your organization self-hosts Looker on AWS EC2 instances (i.e. your Looker is “on-prem”) then this type of connection authentication is possible. The key is to pass certain properties to the Additional Params field in the Looker connection setup page. Namely:


If you need to pass S3 output configurations as well, the full string might look like this:


AwsCredentialsProviderClass=com.simba.athena.amazonaws.auth.InstanceProfileCredentialsProvider;S3OutputLocation=s3://<bucket name>;S3OutputEncKMSKey=<key arn>;S3OutputEncOption=SSE_KMS


If you use a proxy server to connect to Athena, check out the ProxyDomain, ProxyHost, and ProxyPort params as well. The full list of available connection options (including several authentication modes), is given in the AWS Athena JDBC Driver documentation page.

Unfortunately this method does not work for cloud-hosted Looker instances in AWS due to the hosting architecture.