Browser Azure AD credentials - Amazon Athena
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Browser Azure AD credentials

Browser Azure AD is a SAML-based authentication mechanism that works with the Azure AD identity provider and supports multi-factor authentication. Unlike the standard Azure AD authentication mechanism, this mechanism does not require a user name, password, or client secret in the connection parameters. Like the standard Azure AD authentication mechanism, Browser Azure AD also assumes the user has already set up federation between Athena and Azure AD.

Credentials provider

The credentials provider that will be used to authenticate requests to Amazon. Set the value of this parameter to BrowserAzureAD.

Parameter name Alias Parameter type Default value Value to use
CredentialsProvider AWSCredentialsProviderClass (deprecated) Required none BrowserAzureAD

Azure AD tenant ID

The tenant ID of your Azure AD application

Parameter name Alias Parameter type Default value
AzureAdTenantId tenant_id (deprecated) Required none

Azure AD client ID

The client ID of your Azure AD application

Parameter name Alias Parameter type Default value
AzureAdClientId client_id (deprecated) Required none

Identity provider response timeout

The duration, in seconds, before the driver stops waiting for the SAML response from Azure AD.

Parameter name Alias Parameter type Default value
IdpResponseTimeout idp_response_timeout (deprecated) Optional 120

Preferred role

The Amazon Resource Name (ARN) of the role to assume. For information about ARN roles, see AssumeRole in the Amazon Security Token Service API Reference.

Parameter name Alias Parameter type Default value
PreferredRole preferred_role (deprecated) Optional none

Role session duration

The duration, in seconds, of the role session. For more information, see AssumeRole in the Amazon Security Token Service API Reference.

Parameter name Alias Parameter type Default value
RoleSessionDuration Duration (deprecated) Optional 3600

Lake Formation enabled

Specifies whether to use the AssumeDecoratedRoleWithSAML Lake Formation API action to retrieve temporary IAM credentials instead of the AssumeRoleWithSAML Amazon STS API action.

Parameter name Alias Parameter type Default value
LakeFormationEnabled none Optional FALSE