Athena

Overview

This guide explains how to add Amazon Athena as a datasource in StrongDM using AWS access keys for authentication. To use IAM role authentication instead, see the Athena (IAM) guide.

When the resource is added, StrongDM proxies client connections through a node (gateway, relay, or proxy cluster). This enables centralized access control, credential management, and audit logging. You can connect your preferred Athena clients (such as JDBC/ODBC tools or BI applications) through StrongDM to run queries.

Athena requires an S3 query results location for all queries. When configuring the resource in StrongDM, you must supply an S3 bucket path where results will be stored.

Use this guide to prepare your AWS and StrongDM environments, configure the resource with the necessary properties, and test the connection.

For general information about how to add a database as a resource in StrongDM, see our main guide, Add a Datasource.

Supported Versions and Clients

StrongDM supports authentication with Athena using AWS access keys for authentication. IAM roles for authentication are also supported (see the Athena (IAM) guide).

Standard Athena clients (for example, JDBC/ODBC tools, AWS SDK/CLI–backed clients, or BI tools that speak the Athena API) work when configured to reach Athena through StrongDM. Ensure that your client can operate with an S3 query results bucket, as required by Athena.

When using JDBC clients to access Athena, StrongDM supports versions 2.0.5, 2.0.6, and 3.0.0 to 3.6.0. For JDBC v3, a StrongDM certificate is required (see the User Connection section).

Prerequisites

To add your resource in StrongDM, you need to meet several technical and configuration prerequisites. Please ensure that the following requirements are met.

In StrongDM, you must have the following:

• Administrator permission level

• At least one operational StrongDM node (gateway, relay, or proxy cluster) with network access to Athena endpoints.

• If using secrets management tools for storing your credentials, a Secret Store configured in StrongDM

On the AWS side, you must have the following:

• AWS user account with Access Key ID and Secret Access Key credentials.

• The user must have IAM policies that grant Athena access and S3 permissions for the output location. Required actions typically include:

  • Athena: athena:GetQueryExecution, athena:StartQueryExecution

  • S3: s3:PutObject, s3:GetObject, s3:ListBucket, s3:GetBucketLocation

  • (Optional) Glue: for metadata access (glue:GetDatabase, glue:GetTable)

• S3 bucket configured as the query results location

Resource Management in StrongDM

After all prerequisites and prep work is done, you are ready to add the resource to StrongDM. This section provides instructions for adding the resource in either the StrongDM Admin UI, CLI, Terraform provider, or SDKs.

# Add Athena datasource
sdm admin datasources add athena athena-access-keys-prod
  --region="us-east-1"
  --s3-output="s3://aws-athena-query-results-123456789012-us-east-1/strongdm/"
  --workgroup="primary"
  --access-key-id="AKIAEXAMPLE"
  --secret-access-key="secretKeyExample123"
  --port=443
  --bind-interface="127.0.0.1"
  --egress-filter="tag:env=prod"
  --port-override="-1"
  --proxy-cluster-id="n-1a2b345c67890123"
  --secret-store-id="se-e1b2"
  --subdomain="athena-prod"
  --tags="env=production,team=bi"

# Install StrongDM provider
terraform {
  required_providers {
    sdm = {
      source  = "strongdm/sdm"
      version = "5.1.0"
    }
  }
}

# Configure StrongDM provider
provider "sdm" {
  # Add API access key and secret key from Admin UI
  api_access_key = "njjSn...5hM"
  api_secret_key = "ziG...="
}

# Create Athena (Access Keys) resource
resource "sdm_athena" "athena_prod" {
  name                = "athena-access-keys-prod"
  region              = "us-east-1"
  s3_output_location  = "s3://aws-athena-query-results-123456789012-us-east-1/strongdm/"
  workgroup           = "primary"

  access_key_id       = "AKIAEXAMPLE"
  secret_access_key   = "secretKeyExample123"

  # Networking / routing
  port                = 443
  bind_interface      = "127.0.0.1"
  egress_filter       = "tag:env=prod"
  port_override       = 12345
  proxy_cluster_id    = "n-1a2b345c67890123"

  # Secrets / metadata
  secret_store_id     = "se-e1b2"
  subdomain           = "athena-prod"
  tags = {
    env  = "production"
    team = "bi"
  }
}

Configuration Properties

The following configuration properties are required to define an Athena datasource in StrongDM. These settings control how StrongDM connects to the resource, authenticates the connection, and optionally uses encryption or secret management. Each property must be correctly configured to ensure connectivity and access enforcement through StrongDM.

Secret Store options

By default, datasource credentials are stored in StrongDM. However, these credentials can also be saved in a secrets management tool.

Non-StrongDM options appear in the Secret Store dropdown if they are created under Settings > Secrets Management > Secret Stores. When you select another Secret Store type, its unique properties display. For more details, see Configure Secret Store Integrations.

Resource status

After a resource is created, the Admin UI displays that resource as unhealthy until the healthchecks run successfully. When the resource is ready, the Health icon indicates a positive, green status.

When the resource does not display a positive status, click the resource name to go to the Diagnostics tab and check for errors.

User Connection With JDBC v3

For users with JDBC drivers versions 3.0.0 to 3.6.0, users must install the StrongDM DNS CA certificate in order to successfully connect. StrongDM admins can manage this certificate in the Admin UI at Settings > Secrets Management > Certificate Authorities > StrongDM DNS Certificate Authority. They can create, rotate, and delete the certificate there, and can also download it to distribute to end users who plan to use JDBC v3 drivers.

Users can install the certificate using the following command, replacing the cert file name:

keytool -import -cacerts -file dns.cer -alias sdmdns

Additionally, users must set values for the following parameters upon connection:

• ProxyHost: StrongDM hostname for the resource, which must begin with http://; can be found in the desktop app or with sdm status at the CLI

• ProxyPort: StrongDM assigned port for the resource; can be found in the desktop app or with sdm status at the CLI

• Region: Must be us-east-1 regardless of the actual region of the datasource

Example connection string:

jdbc:athena://ProxyHost=http://127.0.0.1;ProxyPort=<PORT>;Region=us-east-1;UID=ANY_VALUE;PWD=ANY_VALUE;OutputLocation=s3://ANY_VALUE;ConnectionTest=FALSE

Test the Connection

After you have added your resource in StrongDM, follow these steps to verify that it’s working correctly.

1. Assign yourself access by ensuring that your user or role has access to the resource. In the StrongDM Admin UI, go to Access > Roles, and verify that the resource is attached to a role you’re in.

2. In the CLI, run sdm status to list the available datasources. Ensure that the Athena resource appears in your list of accessible datasources.

3. Start a session to the resource, as in the following example:

   Copy

   sdm connect athena-access-keys-prod

   This routes your client through StrongDM to Athena. See the CLI Reference documentation for details on sdm connect.

4. Use your Athena client (JDBC/ODBC, BI tool, or AWS CLI) to issue a basic query. Verify results are saved to your specified S3 output location.

5. In the StrongDM Admin UI, check Logs > Queries (and Logs > Connections) to confirm the session and statements were recorded.

When these steps succeed, you’re ready to connect to your resource through StrongDM.

Help

If you encounter issues, please consult the StrongDM Help Center.

Be prepared to provide the following information to StrongDM Support, so that they can inspect logs and confirm node and resource health:

• Resource name or ID

• CLI error output or logs

• Node name and region

• Timestamps of failed attempts