Use your own identity provider with Amazon Athena

Applies to: Tableau Cloud, Tableau Desktop, Tableau Prep, Tableau Server

Starting in Tableau 2023.2, you can use OAuth 2.0/OIDC to federate identity from an external identity provider to Amazon Athena.

Depending on the identity provider, there are different steps needed to configure the integration. Tableau only provides detailed instructions for how to configure Tableau products. This document provides a high-level overview of the configuration process.

Note: Steps and links that are outside of Tableau and Salesforce content may not be updated or accurate.

Configure the Identity Provider (IDP)

  1. Create OAuth clients on the IDP for Tableau Desktop and Tableau Server. The Desktop client enables PKCE and uses http://localhost redirects.

  2. Add custom claims to for authorisation to roles.

  3. Create the Tableau OAuth config file. See documentation on github, and examples here. Be sure to prefix the Tableau OAuth config IDs with “custom_”.

  4. Install Tableau OAuth config files on desktop machines, Tableau Server and Tableau Cloud sites.

Configure IDP on AWS

  1. Create the IDP entity. See Amazon docs Web Identity Federation, Create OIDC Identity Provider.

  2. Create roles and policies for the IDP specifically. See Create Role for OIDC on AWS docs.

Configure Roles for Athena

Attach the policies needed for Athena. There are many ways this can be done. One way is using custom claims. You can use custom claims in the openID token to authorise to roles. Those roles are granted access to other resources. For more information see:

Connect to Athena

The user must specify the role ARN to assume, and then select the OAuth config installed earlier.

When properly configured, the user is redirected to the IDP to authenticate and authorise tokens for Tableau. Tableau receives openID and refresh tokens. AWS is able to validate the token and signature from the IDP, extract the claims from the token, look up the mapping of claims to IAM role and either permit or block Tableau from assuming the role on the user’s behalf.

Example: AssumeRoleWithWebIdentity

log in to athena window

Okta Configuration

If using Okta it’s better to use a “custom authorisation server” rather than the “org authorisation server”. The custom authorisation servers are more flexible. There’s a custom authorisation server created by default, which is called “default”. The authorisation URL looks like the following example.

https://${yourOktaDomain}/oauth2/{authServerName}/v1/authorize

okta dashboard

Back to top
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!