Support custom RoleArn in Athena connection URI

[icy]

This patch allows to provide a custom RoleArn in Athena Connection URI. This is useful when we need to switch to another role from within Ec2 instance profile.

Example Connection Uri:

awsathena+jdbc://athena.ap-southeast-1.amazonaws.com:443/testing?s3_staging_dir=s3://athena-query-results-testing&role_arn=arn:aws:iam::024150960000:role/AthenaPowerUsers

[icy]

cc: #57

Hi @laughingman7743 ,

I'm using superset (https://github.com/apache/incubator-superset) which uses PyAthenaJDBC 1.2.x. The superset instance is using Ec2 IAM profile to get session tokens, however we want to work on Athena from another AWS account, and we think that using AssumeRole is better than providing credential file and/or fixed IAM credentials.

I think that the Java library doesn't support role switching (I did take a look at their documentation downloaded from here 1. That's why I try to have a work-around from your Python library. As I don't want to hurt it so much I create something new session as you can see in this PR; clearly the better way is to support RoleArn argument under your session token generating (https://github.com/laughingman7743/PyAthenaJDBC/blob/master/pyathenajdbc/connection.py#L46).

That's to say. I like to hear your advice how to support RoleArn and how to improve this PR. I'm eager to provide some support and/or create a new one if necessary.

Thanks a lot

[laughingman7743]

Thanks PR. But I hope you will use PyAthena (https://github.com/laughingman7743/PyAthena). Since it supports SQLAlchemy, it can also be used in Superset. The scheme of URI is awsathena + rest.
https://github.com/laughingman7743/PyAthena#sqlalchemy

PyAthena supports boto3 authentication.
http://boto3.readthedocs.io/en/latest/guide/configuration.html
AssumeRole is also supposed to work if you create a configuration file.
http://boto3.readthedocs.io/en/latest/guide/configuration.html#assume-role-provider

Thanks,

[icy]

Thanks a lot @laughingman7743 . I will take a look at using PyAthena in Superset.

I don't really want to use AssumeRole in file configuration (that would require us to provide IAM credentials in configuration too.) What we need is to get AssumeRole after getting session tokens from EC2 instance profile. I will take a look if there is a way.

Thanks again,

[laughingman7743]

If you create a configuration file that specifies only role_arn and role_session_name, it may be that the action of AssumeRole is executed in the role attached to the EC2 instance? However, it may be useful to be able to specify a role_arn with a URI.

Try out the configuration file with PyAthena for the time being. If there is a problem, please raise an issue to the PyAthena repository (https://github.com/laughingman7743/PyAthena/issues).

[icy]

Hi @laughingman7743 ,

How did you mention that superset could use PyAthena library? From the official documentation here

https://superset.apache.org/installation.html#deeper-sqlalchemy-integration

the only Athena URI can be read is awsathena+jdbc://....

Thanks a lot.

[laughingman7743]

I do not use Superset so I do not know the details.
Perhaps I think installing the library with pip install PyAthena and specifying the URI starting with awsathena+rest:// in the SQLAlchemy URI.

[icy]

Hi @laughingman7743, that's perfect. However I still need to create local ~/.aws/config configuration files. Do you think that we may have some option to provide rolearn in URI? If that's fine I would create new ticket on the ticket there

[laughingman7743]

I tried implementing it. Please check the following branch.
laughingman7743/PyAthena#40

[icy]

That's great. I will close this ticket and use PyAthena instead. Thanks again for your support.