Use your own identity provider with Amazon Athena

Applies to: Tableau Cloud, Tableau Desktop, Tableau Prep, Tableau Server

Starting in Tableau 2023.2, you can use OAuth 2.0/OIDC to federate identity from an external identity provider to Amazon Athena.

Depending on the identity provider, there are different steps needed to configure the integration. Tableau only provides detailed instructions for how to configure Tableau products. For instructions on how to configure your identity provider (such as Okta), refer to that product’s help and tutorials. This document provides a high-level overview of the configuration process.

Note: Single use refresh tokens are not supported for OAuth connections to Tableau at this time. In most cases, you can set up your identity provider (such as Okta or Redshift IDC) to use rolling refresh tokens instead. For more information, see your provider’s OAuth documentation.

Note:Steps and links that are outside of Tableau and Salesforce content, may not be updated or accurate.

Configure the Identity Provider (IDP)

  1. Create OAuth clients on the IDP for Tableau Desktop and Tableau Server. The Desktop client enables PKCE(Link opens in a new window) and uses http://localhost redirects.

  2. Add any required custom claims to use for authorization to roles. For more details about claims and scopes, see Scopes vs Claims(Link opens in a new window).

  3. Create the Tableau OAuth config file. For details on how to do this, see OAuth Configuration and Usage(Link opens in a new window) on github, and examples here. Be sure to prefix the Tableau OAuth config IDs with “custom_”.

  4. Install Tableau OAuth config files on Tableau Desktop machines, Tableau Server, and Tableau Cloud sites as explained in the OAuth configuration topic linked above.

Configure IDP on AWS

  1. Create the IDP entity. See Amazon docs Web Identity Federation, Create OIDC Identity Provider.
  2. The IDP must be configured to federate to Athena in a way that works with Tableau's driver plug-in. The following provider information is used for both Tableau Server and Tableau Desktop flows:
    AwsCredentialsProviderClas=com.simba.athena.iamsupport.plugin.JwtCredentialsProvider
    role_session_name=AthenaJWT
  3. Create roles and policies for the IDP specifically. See Create Role for OIDC on AWS docs.

Configure Roles for Athena

Attach the policies needed for Athena. There are many ways this can be done. One way is using custom claims. You can use custom claims in the openID token to authorize to roles. Those roles are granted access to other resources. For more information see:

Connect to Athena

The user must specify the AWS Role ARN (Amazon Resource Name) to assume, and then, under OAuth Provider, select the OAuth config installed earlier. Note the drop-down menu to select a config will only appear if there are multiple configurations to choose from.

When properly configured, the user is redirected to the IDP to authenticate and authorize tokens for Tableau. Tableau receives openid and refresh tokens. AWS is able to validate the token and signature from the IDP, extract the claims from the token, look up the mapping of claims to IAM role, and either permit or block Tableau from assuming the role on the user’s behalf.

Example: AssumeRoleWithWebIdentity

log into athena window

Tokens

By default, Athena OAuth IAM passes the ID token to the driver. For on-premise customers, including those using Tableau Bridge, you may use a TDC file to pass the access token instead.

<connection-customization class='athena' enabled='true' version='10.0'>
    <vendor name='athena' />
    <driver name='athena' />
    <customizations>
        <customization name='CAP_OAUTH_FEDERATE_ACCCESS_TOKEN' value='yes'/>
    </customizations>
</connection-customization>

For more information about configuring and installing .tdc files, see Customize and Tune a Connection(Link opens in a new window).

Okta Configuration

If using Okta it’s better to use a “custom authorization server” rather than the “org authorization server.” The custom authorization servers are more flexible. There’s a custom authorization server created by default, which is called “default”. The authorization URL looks like the following example.

https://${yourOktaDomain}/oauth2/{authServerName}/v1/authorize

okta dashboard

Back to top
Thanks for your feedback!Your feedback has been successfully submitted. Thank you!