From 056343b9b440ca5ac898c989455100d04e97178c Mon Sep 17 00:00:00 2001 From: nwagh Date: Tue, 7 Aug 2018 18:48:38 -0400 Subject: [PATCH 1/4] Initial commit for Athena JDBC credentials Blog source --- .../README.md | 42 ++++++++++++ .../pom.xml | 68 +++++++++++++++++++ ...mIAMRoleAssumptionCredentialsProvider.java | 51 ++++++++++++++ ...RoleAssumptionSAMLCredentialsProvider.java | 31 +++++++++ 4 files changed, 192 insertions(+) create mode 100644 aws-blog-athena-custom-jdbc-credentials/README.md create mode 100644 aws-blog-athena-custom-jdbc-credentials/pom.xml create mode 100644 aws-blog-athena-custom-jdbc-credentials/src/main/java/com/amazonaws/custom/athena/jdbc/CustomIAMRoleAssumptionCredentialsProvider.java create mode 100644 aws-blog-athena-custom-jdbc-credentials/src/main/java/com/amazonaws/custom/athena/jdbc/CustomIAMRoleAssumptionSAMLCredentialsProvider.java diff --git a/aws-blog-athena-custom-jdbc-credentials/README.md b/aws-blog-athena-custom-jdbc-credentials/README.md new file mode 100644 index 00000000..181978ee --- /dev/null +++ b/aws-blog-athena-custom-jdbc-credentials/README.md @@ -0,0 +1,42 @@ +# athena-jdbc + +You can use Athena to generate reports or to explore data with business intelligence tools or SQL clients connected with a JDBC driver. To demonstrate the scenarios described above, we will be using SQL Workbench tool which is open source SQL editor. Refer to http://docs.aws.amazon.com/athena/latest/ug/athena-sql-workbench.html for installation and setup steps. +Athena JDBC driver provides ability to add custom credentials provider. This feature allows to utilize Secure Token Service to obtain temporary credentials. +You can use the AWS Security Token Service (AWS STS) to create and provide trusted users with temporary security credentials that can control access to your AWS resources. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use, with the following differences: + * Temporary security credentials are short-term, as the name implies. They can be configured to last for anywhere from a few minutes to several hours. After the credentials expire, AWS no longer recognizes them or allows any kind of access from API requests made with them. + * Temporary security credentials are not stored with the user but are generated dynamically and provided to the user when requested. When (or even before) the temporary security credentials expire, the user can request new credentials, as long as the user requesting them still has permissions to do so. + +### Pre-requisites + + * Java 8 is installed + * SQL workbench is installed on your laptop or Windows EC2 instance.(http://www.sql-workbench.net/Workbench-Build123.zip) + +#### SQL Workbench Extended Properties for Cross-Account Role Access + +Property | Value +---------------------------|----------------------------------------------------------------------- +AwsCredentialsProviderClass|com.amazonaws.athena.jdbc.CustomIAMRoleAssumptionCredentialsProvider +AwsCredentialsProviderArguments|*access_key_id,secret_access_key,Cross Account Role ARN* +S3OutputLocation|s3://*bucket where athena results are stored* +LogPath|*local path on laptop or pc where logs are stored* +LogLevel|*LogLevel 1 thru 6* + +#### SQL Workbench Extended Properties for SAML generated credentials + +Property | Value +---------------------------|-------------------------------------------------------------------------------------- +AwsCredentialsProviderClass|com.amazonaws.athena.jdbc.CustomIAMRoleAssumptionSAMLCredentialsProvider +AwsCredentialsProviderArguments|*access_key_id,secret_access_key,session token* +S3OutputLocation|s3://*bucket where athena results are stored* +LogPath|*local path on laptop or pc where logs are stored* +LogLevel|*LogLevel 1 thru 6* + + +#### SQL Workbench Extended Properties for EC2 Instance role + +Property | Value +---------------------------|-------------------------------------------------------------------------------------- +AwsCredentialsProviderClass|com.simba.athena.amazonaws.auth.InstanceProfileCredentialsProvider +S3OutputLocation|s3://*bucket where athena results are stored* +LogPath|*local path on laptop or pc where logs are stored* +LogLevel|*LogLevel 1 thru 6* diff --git a/aws-blog-athena-custom-jdbc-credentials/pom.xml b/aws-blog-athena-custom-jdbc-credentials/pom.xml new file mode 100644 index 00000000..6a6317f1 --- /dev/null +++ b/aws-blog-athena-custom-jdbc-credentials/pom.xml @@ -0,0 +1,68 @@ + + 4.0.0 + org.aws.labs + athena-jdbc + 0.0.1-SNAPSHOT + athena-jdbc + + + com.amazonaws + aws-java-sdk-core + 1.11.327 + + + + com.amazonaws + aws-java-sdk-sts + 1.11.327 + + + + com.amazonaws + aws-java-sdk-s3 + 1.11.327 + + + + com.amazonaws + AthenaJDBC42 + 2.0.2 + + + + + + org.apache.maven.plugins + maven-jar-plugin + 3.0.2 + + + com.amazonaws:AthenaJDBC42:jar:2.0.2 + + + + + org.apache.maven.plugins + maven-shade-plugin + 3.0.0 + + + package + + shade + + + + + com.amazonaws:AthenaJDBC42 + + + + + + + + + + \ No newline at end of file diff --git a/aws-blog-athena-custom-jdbc-credentials/src/main/java/com/amazonaws/custom/athena/jdbc/CustomIAMRoleAssumptionCredentialsProvider.java b/aws-blog-athena-custom-jdbc-credentials/src/main/java/com/amazonaws/custom/athena/jdbc/CustomIAMRoleAssumptionCredentialsProvider.java new file mode 100644 index 00000000..fb1ff07a --- /dev/null +++ b/aws-blog-athena-custom-jdbc-credentials/src/main/java/com/amazonaws/custom/athena/jdbc/CustomIAMRoleAssumptionCredentialsProvider.java @@ -0,0 +1,51 @@ +package com.amazonaws.custom.athena.jdbc; + +import com.simba.athena.amazonaws.auth.AWSStaticCredentialsProvider; +import com.simba.athena.amazonaws.auth.BasicAWSCredentials; +import com.simba.athena.amazonaws.auth.BasicSessionCredentials; +import com.amazonaws.auth.AWSCredentials; +import com.amazonaws.services.securitytoken.AWSSecurityTokenService; +import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder; +import com.amazonaws.services.securitytoken.model.AssumeRoleRequest; +import com.amazonaws.services.securitytoken.model.AssumeRoleResult; + +public class CustomIAMRoleAssumptionCredentialsProvider implements com.amazonaws.auth.AWSCredentialsProvider{ + + private final AWSCredentials credentials; + private final String roleArn; + private AWSCredentials assumedCredentials; + private AWSSecurityTokenService stsClient; + + //To use in JDBC: set aws_credentials_provider_class = "com.amazonaws.custom.athena.jdbc.CustomIAMRoleAssumptionCredentialsProvider" + // set AwsCredentialsProviderArguments = ",," + public CustomIAMRoleAssumptionCredentialsProvider(String accessId, String secretKey, String roleArn){ + + this.credentials = new BasicAWSCredentials(accessId,secretKey); + this.roleArn = roleArn; + + stsClient = AWSSecurityTokenServiceClientBuilder.standard().withCredentials((com.amazonaws.auth.AWSCredentialsProvider) new AWSStaticCredentialsProvider(credentials)).build(); + + refresh(); + + } + + public AWSCredentials getCredentials() { + + return assumedCredentials; + } + + public void refresh() { + + AssumeRoleResult result = stsClient.assumeRole(new AssumeRoleRequest().withRoleArn(roleArn).withRoleSessionName("athenajdbc")); + assumedCredentials = getCredentialsFromAssumedRoleResult(result); + + } + + protected AWSCredentials getCredentialsFromAssumedRoleResult(AssumeRoleResult result){ + + return new BasicSessionCredentials(result.getCredentials().getAccessKeyId(), + result.getCredentials().getSecretAccessKey(), + result.getCredentials().getSessionToken()); + } + +} diff --git a/aws-blog-athena-custom-jdbc-credentials/src/main/java/com/amazonaws/custom/athena/jdbc/CustomIAMRoleAssumptionSAMLCredentialsProvider.java b/aws-blog-athena-custom-jdbc-credentials/src/main/java/com/amazonaws/custom/athena/jdbc/CustomIAMRoleAssumptionSAMLCredentialsProvider.java new file mode 100644 index 00000000..255318ab --- /dev/null +++ b/aws-blog-athena-custom-jdbc-credentials/src/main/java/com/amazonaws/custom/athena/jdbc/CustomIAMRoleAssumptionSAMLCredentialsProvider.java @@ -0,0 +1,31 @@ +package com.amazonaws.custom.athena.jdbc; + +import com.amazonaws.auth.AWSCredentials; +import com.amazonaws.auth.AWSCredentialsProvider; +import com.simba.athena.amazonaws.auth.BasicSessionCredentials; + +public class CustomIAMRoleAssumptionSAMLCredentialsProvider implements AWSCredentialsProvider{ + + private AWSCredentials credentials; + + //To use in JDBC: set aws_credentials_provider_class = "com.amazonaws.custom.athena.jdbc.CustomIAMRoleAssumptionSAMLCredentialsProvider" + // set AwsCredentialsProviderArguments = ",," + public CustomIAMRoleAssumptionSAMLCredentialsProvider(String accessId, String secretKey, String sessionToken){ + + this.credentials = new BasicSessionCredentials(accessId,secretKey,sessionToken); + + } + + public AWSCredentials getCredentials() { + + return credentials; + } + + public void refresh() { + + //Use this method if refresh token is used + } + + + +} From 609ff4740c1fa1efd6ae1a2502256f9826b9a985 Mon Sep 17 00:00:00 2001 From: nwagh Date: Tue, 7 Aug 2018 19:01:22 -0400 Subject: [PATCH 2/4] minor formatting changes to README --- aws-blog-athena-custom-jdbc-credentials/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/aws-blog-athena-custom-jdbc-credentials/README.md b/aws-blog-athena-custom-jdbc-credentials/README.md index 181978ee..8d749bd7 100644 --- a/aws-blog-athena-custom-jdbc-credentials/README.md +++ b/aws-blog-athena-custom-jdbc-credentials/README.md @@ -8,6 +8,7 @@ You can use the AWS Security Token Service (AWS STS) to create and provide trust ### Pre-requisites + * Java 8 is installed * SQL workbench is installed on your laptop or Windows EC2 instance.(http://www.sql-workbench.net/Workbench-Build123.zip) From 7cfc53e39cc1b998bbac584efe788814330fcafe Mon Sep 17 00:00:00 2001 From: nwagh Date: Wed, 8 Aug 2018 10:31:55 -0400 Subject: [PATCH 3/4] Changes to README and added Maven Repo --- .../README.md | 37 +++++++++++-------- .../pom.xml | 9 ++--- 2 files changed, 25 insertions(+), 21 deletions(-) diff --git a/aws-blog-athena-custom-jdbc-credentials/README.md b/aws-blog-athena-custom-jdbc-credentials/README.md index 8d749bd7..0de4acad 100644 --- a/aws-blog-athena-custom-jdbc-credentials/README.md +++ b/aws-blog-athena-custom-jdbc-credentials/README.md @@ -1,10 +1,16 @@ -# athena-jdbc +# Connecting to Amazon Athena with Federated Identities using Temporary Credentials + +Using temporary security credentials ensures that access keys to protected resources in production are not directly hard-coded in the applications. Instead, you rely on AWS Secure Token Service (AWS STS) to generate temporary credentials. +Temporary security credentials work similar to the long-term access key credentials that your Amazon IAM users can use, with the following differences. These credentials are: + * Intended for short-term use only. You can configure these credentials to last for anywhere from a few minutes to several hours. After they expire, AWS no longer recognizes them, or allows any kind of access from API requests made with them. + * Not stored with the user, but are generated dynamically and provided to the user when requested. When (or even before) they expire, the user can request new credentials, as long as the user requesting them still has permissions to do so. + +We list below some of the typical use cases in which your organization may require federated access to Amazon Athena: +1. Running Queries in Amazon Athena while Using Federation via SAML with Active Directory (AD). Your group requires to run queries in Amazon Athena while federating into AWS using SAML with permissions stored in AD. +2. Enabling Cross-Account Access to Amazon Athena for Users in Your Organization. A member of your group with access to AWS Account “A” needs to run Athena queries in Account “B”. +3. Enabling Access to Amazon Athena for a Data Application. A data application deployed on an Amazon EC2 instance needs to run Amazon Athena queries via JDBC. + -You can use Athena to generate reports or to explore data with business intelligence tools or SQL clients connected with a JDBC driver. To demonstrate the scenarios described above, we will be using SQL Workbench tool which is open source SQL editor. Refer to http://docs.aws.amazon.com/athena/latest/ug/athena-sql-workbench.html for installation and setup steps. -Athena JDBC driver provides ability to add custom credentials provider. This feature allows to utilize Secure Token Service to obtain temporary credentials. -You can use the AWS Security Token Service (AWS STS) to create and provide trusted users with temporary security credentials that can control access to your AWS resources. Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use, with the following differences: - * Temporary security credentials are short-term, as the name implies. They can be configured to last for anywhere from a few minutes to several hours. After the credentials expire, AWS no longer recognizes them or allows any kind of access from API requests made with them. - * Temporary security credentials are not stored with the user but are generated dynamically and provided to the user when requested. When (or even before) the temporary security credentials expire, the user can request new credentials, as long as the user requesting them still has permissions to do so. ### Pre-requisites @@ -12,16 +18,6 @@ You can use the AWS Security Token Service (AWS STS) to create and provide trust * Java 8 is installed * SQL workbench is installed on your laptop or Windows EC2 instance.(http://www.sql-workbench.net/Workbench-Build123.zip) -#### SQL Workbench Extended Properties for Cross-Account Role Access - -Property | Value ----------------------------|----------------------------------------------------------------------- -AwsCredentialsProviderClass|com.amazonaws.athena.jdbc.CustomIAMRoleAssumptionCredentialsProvider -AwsCredentialsProviderArguments|*access_key_id,secret_access_key,Cross Account Role ARN* -S3OutputLocation|s3://*bucket where athena results are stored* -LogPath|*local path on laptop or pc where logs are stored* -LogLevel|*LogLevel 1 thru 6* - #### SQL Workbench Extended Properties for SAML generated credentials Property | Value @@ -32,6 +28,15 @@ S3OutputLocation|s3://*bucket where athena results are stored* LogPath|*local path on laptop or pc where logs are stored* LogLevel|*LogLevel 1 thru 6* +#### SQL Workbench Extended Properties for Cross-Account Role Access + +Property | Value +---------------------------|----------------------------------------------------------------------- +AwsCredentialsProviderClass|com.amazonaws.athena.jdbc.CustomIAMRoleAssumptionCredentialsProvider +AwsCredentialsProviderArguments|*access_key_id,secret_access_key,Cross Account Role ARN* +S3OutputLocation|s3://*bucket where athena results are stored* +LogPath|*local path on laptop or pc where logs are stored* +LogLevel|*LogLevel 1 thru 6* #### SQL Workbench Extended Properties for EC2 Instance role diff --git a/aws-blog-athena-custom-jdbc-credentials/pom.xml b/aws-blog-athena-custom-jdbc-credentials/pom.xml index 6a6317f1..90da2356 100644 --- a/aws-blog-athena-custom-jdbc-credentials/pom.xml +++ b/aws-blog-athena-custom-jdbc-credentials/pom.xml @@ -23,10 +23,9 @@ aws-java-sdk-s3 1.11.327 - - com.amazonaws - AthenaJDBC42 + com.syncron.amazonaws + simba-athena-jdbc-driver 2.0.2 @@ -38,7 +37,7 @@ 3.0.2 - com.amazonaws:AthenaJDBC42:jar:2.0.2 + com.syncron.amazonaws:simba-athena-jdbc-driver:jar:2.0.2 @@ -55,7 +54,7 @@ - com.amazonaws:AthenaJDBC42 + com.syncron.amazonaws:simba-athena-jdbc-driver From 8100332236d788d8751ac669ca23b3f212d39263 Mon Sep 17 00:00:00 2001 From: nwagh Date: Fri, 10 Aug 2018 13:29:17 -0400 Subject: [PATCH 4/4] Changed custom credentials jar artifact name --- aws-blog-athena-custom-jdbc-credentials/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws-blog-athena-custom-jdbc-credentials/pom.xml b/aws-blog-athena-custom-jdbc-credentials/pom.xml index 90da2356..1337011d 100644 --- a/aws-blog-athena-custom-jdbc-credentials/pom.xml +++ b/aws-blog-athena-custom-jdbc-credentials/pom.xml @@ -2,7 +2,7 @@ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 4.0.0 org.aws.labs - athena-jdbc + athena-jdbc-custom-credentials-provider 0.0.1-SNAPSHOT athena-jdbc