Use your own identity provider with Amazon Athena

Starting in Tableau 2023.2, you can use OAuth 2.0/OIDC to federate identity from an external identity provider to Amazon Athena.

Depending on the identity provider, there are different steps needed to configure the integration. Tableau only provides detailed instructions for how to configure Tableau products. This document provides a high-level overview of the configuration process.

Note:Steps and links that are outside of Tableau and Salesforce content, may not be updated or accurate.

Configure the Identity Provider (IDP)

  1. Create OAuth clients on the IDP for Tableau Desktop and Tableau Server. The Desktop client enables PKCE and uses http://localhost redirects.

  2. Add custom claims to for authorization to roles.

  3. Create the Tableau OAuth config file. See documentation on github, and examples here. Be sure to prefix the Tableau OAuth config IDs with “custom_”.

  4. Install Tableau OAuth config files on desktop machines, Tableau Server, and Tableau Cloud sites.

Configure IDP on AWS

  1. Create the IDP entity. See Amazon docs Web Identity Federation, Create OIDC Identity Provider.

  2. Create roles and policies for the IDP specifically. See Create Role for OIDC on AWS docs.

Configure Roles for Athena

Attach the policies needed for Athena. There are many ways this can be done.One way is using custom claims. You can use custom claims in the openID token to authorize to roles. Those roles are granted access to other resources. For more information see:

Connect to Athena

The user must specify the role ARN to assume, and then select the OAuth config installed earlier.

When properly configured, the user is redirected to the IDP to authenticate and authorize tokens for Tableau. Tableau receives openid and refresh tokens. AWS is able to validate the token and signature from the IDP, extract the claims from the token, look up the mapping of claims to IAM role, and either permit or block Tableau from assuming the role on the user’s behalf.

Example: AssumeRoleWithWebIdentity

log into athena window

Okta Configuration

If using Okta it’s better to use a “custom authorization server” rather than the “org authorization server.” The custom authorization servers are more flexible. There’s a custom authorization server created by default, which is called “default”. The authorization URL looks like the following example.


okta dashboard

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!