feat(athena-driver): export env variables for IAM assume role auth (#9882)

Author: bsod90

docs/pages/product/configuration/data-sources/aws-athena.mdx

@@ -13,6 +13,8 @@
 
 Add the following to a `.env` file in your Cube project:
 
+#### Static Credentials
+
 ```dotenv
 CUBEJS_DB_TYPE=athena
 CUBEJS_AWS_KEY=AKIA************
@@ -24,6 +26,24 @@ CUBEJS_DB_NAME=my_non_default_athena_database
 CUBEJS_AWS_ATHENA_CATALOG=AwsDataCatalog
 ```
 
+#### IAM Role Assumption
+
+For enhanced security, you can configure Cube to assume an IAM role to access Athena:
+
+```dotenv
+CUBEJS_DB_TYPE=athena
+CUBEJS_AWS_ATHENA_ASSUME_ROLE_ARN=arn:aws:iam::123456789012:role/AthenaAccessRole
+CUBEJS_AWS_REGION=us-east-1
+CUBEJS_AWS_S3_OUTPUT_LOCATION=s3://my-athena-output-bucket
+CUBEJS_AWS_ATHENA_WORKGROUP=primary
+# Optional: if the role requires an external ID
+CUBEJS_AWS_ATHENA_ASSUME_ROLE_EXTERNAL_ID=unique-external-id
+```
+
+When using role assumption:
+- If running in AWS (EC2, ECS, EKS with IRSA), the driver will use the instance's IAM role or service account to assume the target role
+- You can also provide `CUBEJS_AWS_KEY` and `CUBEJS_AWS_SECRET` as master credentials for the role assumption
+
 ### Cube Cloud
 
 <InfoBox heading="Allowing connections from Cube Cloud IP">
@@ -52,17 +72,21 @@ if [dedicated infrastructure][ref-dedicated-infra] is used. Check out the
 
 ## Environment Variables
 
-| Environment Variable            | Description                                                                                                            | Possible Values                                  | Required |
-| ------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | :------: |
-| `CUBEJS_AWS_KEY`                | The AWS Access Key ID to use for database connections                                                                  | A valid AWS Access Key ID                        |    ✅    |
-| `CUBEJS_AWS_SECRET`             | The AWS Secret Access Key to use for database connections                                                              | A valid AWS Secret Access Key                    |    ✅    |
-| `CUBEJS_AWS_REGION`             | The AWS region of the Cube deployment                                                                                  | [A valid AWS region][aws-docs-regions]           |    ✅    |
-| `CUBEJS_AWS_S3_OUTPUT_LOCATION` | The S3 path to store query results made by the Cube deployment                                                         | A valid S3 path                                  |    ❌    |
-| `CUBEJS_AWS_ATHENA_WORKGROUP`   | The name of the workgroup in which the query is being started                                                          | [A valid Athena Workgroup][aws-athena-workgroup] |    ❌    |
-| `CUBEJS_AWS_ATHENA_CATALOG`     | The name of the catalog to use by default                                                                              | [A valid Athena Catalog name][awsdatacatalog]    |    ❌    |
-| `CUBEJS_DB_NAME`                | The name of the database to use by default                                                                             | A valid Athena Database name                     |    ❌    |
-| `CUBEJS_DB_SCHEMA`              | The name of the schema to use as `information_schema` filter. Reduces count of tables loaded during schema generation. | A valid schema name                              |    ❌    |
-| `CUBEJS_CONCURRENCY`            | The number of [concurrent queries][ref-data-source-concurrency] to the data source                                     | A valid number                                   |    ❌    |
+| Environment Variable                            | Description                                                                                                            | Possible Values                                  | Required |
+| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | :------: |
+| `CUBEJS_AWS_KEY`                                | The AWS Access Key ID to use for database connections                                                                  | A valid AWS Access Key ID                        | ❌<sup>1</sup> |
+| `CUBEJS_AWS_SECRET`                             | The AWS Secret Access Key to use for database connections                                                              | A valid AWS Secret Access Key                    | ❌<sup>1</sup> |
+| `CUBEJS_AWS_REGION`                             | The AWS region of the Cube deployment                                                                                  | [A valid AWS region][aws-docs-regions]           |    ✅    |
+| `CUBEJS_AWS_S3_OUTPUT_LOCATION`                 | The S3 path to store query results made by the Cube deployment                                                         | A valid S3 path                                  |    ❌    |
+| `CUBEJS_AWS_ATHENA_WORKGROUP`                   | The name of the workgroup in which the query is being started                                                          | [A valid Athena Workgroup][aws-athena-workgroup] |    ❌    |
+| `CUBEJS_AWS_ATHENA_CATALOG`                     | The name of the catalog to use by default                                                                              | [A valid Athena Catalog name][awsdatacatalog]    |    ❌    |
+| `CUBEJS_AWS_ATHENA_ASSUME_ROLE_ARN`             | The ARN of the IAM role to assume for Athena access                                                                    | A valid IAM role ARN                             |    ❌    |
+| `CUBEJS_AWS_ATHENA_ASSUME_ROLE_EXTERNAL_ID`     | The external ID to use when assuming the IAM role (if required by the role's trust policy)                             | A string                                          |    ❌    |
+| `CUBEJS_DB_NAME`                                | The name of the database to use by default                                                                             | A valid Athena Database name                     |    ❌    |
+| `CUBEJS_DB_SCHEMA`                              | The name of the schema to use as `information_schema` filter. Reduces count of tables loaded during schema generation. | A valid schema name                              |    ❌    |
+| `CUBEJS_CONCURRENCY`                            | The number of [concurrent queries][ref-data-source-concurrency] to the data source                                     | A valid number                                   |    ❌    |
+
+<sup>1</sup> Either provide `CUBEJS_AWS_KEY` and `CUBEJS_AWS_SECRET` for static credentials, or use `CUBEJS_AWS_ATHENA_ASSUME_ROLE_ARN` for role-based authentication. When using role assumption without static credentials, the driver will use the AWS SDK's default credential chain (IAM instance profile, EKS IRSA, etc.).
 
 [ref-data-source-concurrency]: /product/configuration/concurrency#data-source-concurrency
 

packages/cubejs-athena-driver/package.json

@@ -29,6 +29,7 @@
   "types": "dist/src/index.d.ts",
   "dependencies": {
     "@aws-sdk/client-athena": "^3.22.0",
+    "@aws-sdk/credential-providers": "^3.22.0",
     "@cubejs-backend/base-driver": "1.3.52",
     "@cubejs-backend/shared": "1.3.52",
     "sqlstring": "^2.3.1"

packages/cubejs-athena-driver/src/AthenaDriver.ts

@@ -36,6 +36,7 @@ import {
 } from '@cubejs-backend/base-driver';
 import * as SqlString from 'sqlstring';
 import { AthenaClientConfig } from '@aws-sdk/client-athena/dist-types/AthenaClient';
+import { fromTemporaryCredentials } from '@aws-sdk/credential-providers';
 import { URL } from 'url';
 
 interface AthenaDriverOptions extends AthenaClientConfig {
@@ -124,16 +125,37 @@ export class AthenaDriver extends BaseDriver implements DriverInterface {
       config.secretAccessKey ||
       getEnv('athenaAwsSecret', { dataSource });
 
+    const assumeRoleArn = getEnv('athenaAwsAssumeRoleArn', { dataSource });
+    const assumeRoleExternalId = getEnv('athenaAwsAssumeRoleExternalId', { dataSource });
+
     const { schema, ...restConfig } = config;
 
     this.schema = schema ||
       getEnv('dbName', { dataSource }) ||
       getEnv('dbSchema', { dataSource });
 
+    // Configure credentials based on authentication method
+    let credentials;
+    if (assumeRoleArn) {
+      // Use assume role authentication
+      credentials = fromTemporaryCredentials({
+        params: {
+          RoleArn: assumeRoleArn,
+          ...(assumeRoleExternalId && { ExternalId: assumeRoleExternalId }),
+        },
+        ...(accessKeyId && secretAccessKey && {
+          masterCredentials: { accessKeyId, secretAccessKey },
+        }),
+      });
+    } else if (accessKeyId && secretAccessKey) {
+      // If access key and secret are provided, use them as master credentials
+      // Otherwise, let the SDK use the default credential chain (IRSA, instance profile, etc.)
+      credentials = { accessKeyId, secretAccessKey };
+    }
+
     this.config = {
-      credentials: accessKeyId && secretAccessKey
-        ? { accessKeyId, secretAccessKey }
-        : undefined,
+      // If no credentials are provided, the SDK will use the default chain
+      ...(credentials && { credentials }),
       ...restConfig,
       region:
         config.region ||

packages/cubejs-backend-shared/src/env.ts

@@ -1147,6 +1147,32 @@ const variables: Record<string, (...args: any) => any> = {
     ]
   ),
 
+  /**
+   * Athena AWS Assume Role ARN.
+   */
+  athenaAwsAssumeRoleArn: ({
+    dataSource
+  }: {
+    dataSource: string,
+  }) => (
+    process.env[
+      keyByDataSource('CUBEJS_AWS_ATHENA_ASSUME_ROLE_ARN', dataSource)
+    ]
+  ),
+
+  /**
+   * Athena AWS Assume Role External ID.
+   */
+  athenaAwsAssumeRoleExternalId: ({
+    dataSource
+  }: {
+    dataSource: string,
+  }) => (
+    process.env[
+      keyByDataSource('CUBEJS_AWS_ATHENA_ASSUME_ROLE_EXTERNAL_ID', dataSource)
+    ]
+  ),
+
   /** ****************************************************************
    * BigQuery Driver                                                 *
    ***************************************************************** */