Closed juliansteger-sc closed 1 year ago
How are you running Metabase today? If it's just on something like ECS, then I don't think there would be a way to associate another IAM role. If you're running on EC2, you could potentially use PropertiesFileCredentialsProvider
or ProfileCredentialsProvider
, but you'd still have to maintain credentials on the instance itself.
The JDBC configuration guide on the Athena docs ( https://docs.aws.amazon.com/athena/latest/ug/connect-with-jdbc.html ) has more details.
thanks @dacort yes, we are running on ECS, maybe there could be a way to specify another role for the connection, which would then need to be assumed whenever a call is made via this connection? Not sure if this is technically feasible.
For now we will go with a technical iam user, with appropriate use of aws:calledVia
and aws:SourceVpce
context keys this should be quite safe and only be usable from within the vpc.
The only issue we faced is that when setting up a second athena connection we are receiving an error:
PreparedStatement stmt2541324561 was not found in WorkGroup [...]
this turned out to be caused by our policy
{
"Sid": "Athena",
"Effect": "Allow",
"Action": [
"athena:StopQueryExecution",
"athena:StartQueryExecution",
"athena:ListQueryExecutions",
"athena:ListNamedQueries",
"athena:GetWorkGroup",
"athena:GetQueryResultsStream",
"athena:GetQueryResults",
"athena:GetQueryExecution",
"athena:GetNamedQuery",
"athena:BatchGetQueryExecution",
"athena:BatchGetNamedQuery",
"athena:ListWorkGroups",
"athena:ListTagsForResource",
"athena:ListTableMetadata",
"athena:ListDatabases",
"athena:ListDataCatalogs",
"athena:GetPreparedStatement",
"athena:DeletePreparedStatement",
"athena:CreatePreparedStatement"
],
"Resource": "arn:aws:athena:eu-central-1:123456789111:workgroup/our-workgroup-name",
"Condition": {
"StringEquals": {
"aws:SourceVpc": [
"vpc-99djeudef2f1d0341"
]
}
}
}
when moving the PreparedStatement
actions out and removing the condition aws:SourceVpc
then it worked, so it seems those actions are not compatible with aws:SourceVpc(e)
. Not sure why though, there's no limitation mentioned in AWS Docs.
Closing as part of cleanup now that Athena is officially supported by Metabase. Any future issues can be asked about on their forum or with a detailed bug report.
We would like to grant different user groups access to different tables, but at the same time want them to be able to use native SQL queries.
This is not possible with one role as users can query any table via native SQL that's allowed via the role, independent of MB permissions.
Is it possible to create a second Athena connection, using or 'assuming' a different role? I guess we could use IAM users, but then we would have to manage static secrets.
Thanks