Authentication

<< Click to Display Table of Contents >>

Raynet One Data Hub > 14.0 > Connectors > Alphabetic Connector List > Amazon Athena > Connector Parameters 

Authentication

Access Key ID

This parameter contains the Access Key that is used for the connection to the Session Token Service (STS).

 

Technical Name

access_key_id

Category

Authentication

Type

String

Default Value

n/a

Example Values

 

 

How to get the credentials is described in the official documentation. It is recommended to generate credentials tailored to this connector via the IAM Console. The connector uses this credentials to do the first authentication to AWS. It then gets (and automatically renews) the session credentials for the time of the execution.

 

Secret Access Key

This parameter contains the Secret Access Key that is used for the connection to the Session Token Service (STS).

 

Technical Name

secret_access_key

Category

Authentication

Type

String

Default Value

n/a

Example Values

 

 

How to get the credentials is described in the official documentation. It is recommended to generate credentials tailored to this connector via the IAM Console. The connector uses this credentials to do the first authentication to AWS. It then gets (and automatically renews) the session credentials for the time of the execution.

 

Session Token

This parameter contains the Session Token for the connection to the Session Token Service (STS).

 

Technical Name

session_token

Category

Authentication

Type

String

null

Default Value

null

Example Values

null

 

How to get the credentials is described in the official documentation. It is recommended to generate credentials tailored to this connector via the IAM Console. The connector uses this credentials to do the first authentication to AWS. It then gets (and automatically renews) the session credentials for the time of the execution.

 

Assume Role ARN Chain

Use the Session Token Service (STS) to assume the given roles one after another.

 

Technical Name

master_assume_role_arn_chain

Category

Authentication

Type

String

Default Value

n/a

Example Values

arn:aws:iam::123456789012:role/ROLE_NAME

 

The initial credentials might not have the required permissions for the job. One can perform a privilege escalation with the Assume Role request via STS. For more information on the AWS authentication process read the official documentation. Using a list of roles will chain the assumptions together. The connector gets session credentials for the first role with the initial credentials. Then, with the session credentials it assumes the second role and so on. The last session credentials are used for the actual API accesss. When aggregating data of an Organizational Unit, this chain is used only for the master account of the OU.

 

External ID

This parameter can be used in order to provide an external ID for cross-account access with the Session Token Service (STS).

 

Technical Name

assume_external_id

Category

Authentication

Type

String

null

Default Value

null

Example Values

null, 987654321098

 

The External ID is used with ever role assumption of the Assume Role ARN Chain. Read about the AWS authentication mechanism in the official documentation.

 

List Accounts

This parameter defines the accounts in the OU from which the data will be fetched.

 

Technical Name

sub_account_assume_role_arn_chain

Category

Authentication

Type

String

null

Default Value

null

Example Values

null

arn:aws:iam::{accountId}:role/ROLE_NAME

 

When managing a large number of accounts one can aggregate them in an Organizational Unit (OU). Instead of running the connector for every single account, the connector can fetch the list of accounts from the OU and aggregate the data automatically. When setting this parameter, the last role in the Assume Role Chain must have enough privileges for the ListAccount request. The initial credentials (Access Key ID, Secret Access Key, and Session Token) are reused for the first authentication, but for the cross-account access to the sub-accounts this chain is used instead. Use the placeholder {accountId} in the chain which is replaced by the sub-account IDs at run-time. Leave the chain empty of null to fetch data only from the master account.