Connect to Athena With Session Tokens via DBeaver

Prerequisites: we assume that you already have DBeaver installed. The steps below are good for MacOS, for Windows you might need to change something.

Obtain a session token

A. Export the credential profile name as env variable in a new shell session
B. Run okta-aws to get a session token (enter username, password and TFA)
C. Remove .okta/.current-session,.okta/,.okta/profiles files
You will see the following in the console:

okta-aws aws_credentials_profile sts get-caller-identity
trash .okta/.current-session .okta/ .okta/profiles
Username: USERNAME
GOOGLE Token Factor Authentication
Enter 'change factor' to use a different factor
Auto select role as only one is available : arn:aws:iam::123456789012:role/AWS-YYY-123456789012-XXXXX
    "UserId": "AXXXXXXXXXXXXXXXXXXX1:botocore-session-1234567890",
    "Account": "123456789012",
    "Arn": "arn:aws:sts::123456789012:assumed-role/AAWS-YYY-123456789012-XXXXX/botocore-session-1234567890"

A session token is generated and stored in .aws/credentials file under aws_credentials_profile section

Configure DBeaver to use tokens

  1. Download and install the Athena JDBC driver to DBeaver
  2. Create a new database connection. Normally you need 4 things to start quering your data:
    a. AWS Region (us-east-1)
    b. S3 Endpoint
    c. Access Key
    d. Secret Key

Select the new Athena connection, and press F4, or right-click the connection name and select Edit Connection to edit connection details.

If you have an additional layer of security and use session tokens (for example, okta-aws), you need to configure the Athena driver to use it. Open Driver properties tab.

There are two parameters here you need to change to make use of local aws credential profiles.
A. AwsCredentialsProviderArguments (this is the name of you AWS profile stored in .aws folder)
aws_credentials_profile B. AwsCredentialsProviderClass (Driver class which allows to use session tokens)

Change them and click OK to apply new settings.

Connect to Athena via the new connection

Right-click the new connection in DBeaver and select Connect (or double-click the connection)

You should be able to query Athena as long as the session token is valid

May 29, 2021   (v.93940b5)