Use your own identity provider with Amazon Athena
Starting in Tableau 2023.2, you can use OAuth 2.0/OIDC to federate identity from an external identity provider to Amazon Athena.
Depending on the identity provider, there are different steps needed to configure the integration. Tableau only provides detailed instructions for how to configure Tableau products. For instructions on how to configure your identity provider (such as Okta), refer to that product’s help and tutorials. This document provides a high-level overview of the configuration process.
Note: Single-use refresh tokens are not supported for OAuth connections to Tableau at this time. In most cases, you can set up your identity provider (such as Okta or Redshift IDC) to use rolling refresh tokens instead. For more information, see your provider’s OAuth documentation.
Note: Steps and links that are outside of Tableau and Salesforce content may not be updated or accurate.
Configure the Identity Provider (IDP)
Create OAuth clients on the IDP for Tableau Desktop and Tableau Server. The Desktop client enables PKCE(Link opens in a new window) and uses http://localhost redirects.
Add any required custom claims to use for authorisation to roles. For more details about claims and scopes, see Scopes vs Claims(Link opens in a new window).
Create the Tableau OAuth config file. For details on how to do this, see OAuth Configuration and Usage(Link opens in a new window) on github, as well as examples here. Be sure to prefix the Tableau OAuth config IDs with “custom_”.
Install Tableau OAuth config files on Tableau Desktop machines, Tableau Server and Tableau Cloud sites as explained in the OAuth configuration topic linked above.
Configure IDP on AWS
- Create the IDP entity. See Amazon docs Web Identity Federation, Create OIDC Identity Provider.
- The IDP must be configured to federate to Athena in a way that works with Tableau's driver plug-in. The following provider information is used for both Tableau Server and Tableau Desktop flows:
AwsCredentialsProviderClas=com.simba.athena.iamsupport.plugin.JwtCredentialsProvider
role_session_name=AthenaJWT - Create roles and policies for the IDP specifically. See Create Role for OIDC on AWS docs.
Configure Roles for Athena
Attach the policies needed for Athena. There are many ways this can be done. One way is using custom claims. You can use custom claims in the openID token to authorise to roles. Those roles are granted access to other resources. For more information see:
Tutorial: Configuring federated access for Okta users to Athena using Lake Formation and JDBC.
Fine-grained access to databases and tables in the AWS Glue Data Catalogue.
Connect to Athena
The user must specify the AWS Role ARN (Amazon Resource Name) to assume and then, under OAuth Provider, select the OAuth config installed earlier. Note that the drop-down menu to select a config will only appear if there are multiple configurations to choose from.
When properly configured, the user is redirected to the IDP to authenticate and authorise tokens for Tableau. Tableau receives openID and refresh tokens. AWS is able to validate the token and signature from the IDP, extract the claims from the token, look up the mapping of claims to IAM role and either permit or block Tableau from assuming the role on the user’s behalf.
Example: AssumeRoleWithWebIdentity
Tokens
By default, Athena OAuth IAM passes the ID token to the driver. For on-premise customers, including those using Tableau Bridge, you may use a TDC file to pass the access token instead.
<connection-customization class='athena' enabled='true' version='10.0'> <vendor name='athena' /> <driver name='athena' /> <customizations> <customization name='CAP_OAUTH_FEDERATE_ACCCESS_TOKEN' value='yes'/> </customizations> </connection-customization>
For more information about configuring and installing .tdc files, see Customise and Tune a Connection(Link opens in a new window).
Okta Configuration
If using Okta it’s better to use a “custom authorisation server” rather than the “org authorisation server”. The custom authorisation servers are more flexible. There’s a custom authorisation server created by default, which is called “default”. The authorisation URL looks like the following example.
https://${yourOktaDomain}/oauth2/{authServerName}/v1/authorize