Unable to connect to Athena

Hello folks,

Trying to use Amazon Athena Connector together with Amazon Authentication node.
Authentication run successfully (when I test the connection - it is successful as well). Using Access Key Id + Secret Key option there. Connector node fails with following exception (from the log).
Any help will be greatly appreciated.

2020-04-08 18:19:11,790 : ERROR : KNIME-Worker-17-Amazon Athena Connector 0:574 : : Node : Amazon Athena Connector : 0:574 : Execute failed: [Simba]AthenaJDBC Failed to create AWS Credentials Provider class: org.knime.cloud.aws.athena.connector.KNIMEAWSCredentialsProvider.
java.sql.SQLException: [Simba]AthenaJDBC Failed to create AWS Credentials Provider class: org.knime.cloud.aws.athena.connector.KNIMEAWSCredentialsProvider.
at com.simba.athena.athena.utilities.AJUtilities.createAwsCredentialsProvider(Unknown Source)
at com.simba.athena.athena.api.AJClient.(Unknown Source)
at com.simba.athena.athena.core.AJConnection.connect(Unknown Source)
at com.simba.athena.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.simba.athena.jdbc.common.AbstractDriver.connect(Unknown Source)
at org.knime.database.connection.UrlDBConnectionController$ControlledDriver.connect(UrlDBConnectionController.java:95)
at org.knime.database.connection.UrlDBConnectionController.createConnection(UrlDBConnectionController.java:308)
at org.knime.database.connection.AbstractConnectionProvider.createConnection(AbstractConnectionProvider.java:89)
at org.knime.database.connection.impl.DBConnectionManager.lambda$2(DBConnectionManager.java:458)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
Caused by: com.simba.athena.support.exceptions.GeneralException: [Simba]AthenaJDBC Failed to create AWS Credentials Provider class: org.knime.cloud.aws.athena.connector.KNIMEAWSCredentialsProvider.
… 12 more
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at com.simba.athena.athena.utilities.AJUtilities.createAwsCredentialsProvider(Unknown Source)
at com.simba.athena.athena.api.AJClient.(Unknown Source)
at com.simba.athena.athena.core.AJConnection.connect(Unknown Source)
at com.simba.athena.jdbc.common.BaseConnectionFactory.doConnect(Unknown Source)
at com.simba.athena.jdbc.common.AbstractDriver.connect(Unknown Source)
at org.knime.database.connection.UrlDBConnectionController$ControlledDriver.connect(UrlDBConnectionController.java:95)
at org.knime.database.connection.UrlDBConnectionController.createConnection(UrlDBConnectionController.java:308)
at org.knime.database.connection.AbstractConnectionProvider.createConnection(AbstractConnectionProvider.java:89)
at org.knime.database.connection.impl.DBConnectionManager.lambda$2(DBConnectionManager.java:458)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalStateException: com.simba.athena.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: 1 validation error detected: Value ‘arn:aws:iam:::role/’ at ‘roleArn’ failed to satisfy constraint: Member must have length greater than or equal to 20 (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ValidationError; Request ID: …)
at org.knime.cloud.aws.athena.connector.KNIMEAWSCredentialsProvider.(KNIMEAWSCredentialsProvider.java:84)
… 17 more
Caused by: com.simba.athena.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: 1 validation error detected: Value ‘arn:aws:iam:::role/’ at ‘roleArn’ failed to satisfy constraint: Member must have length greater than or equal to 20 (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ValidationError; Request ID: …)
at com.simba.athena.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1712)
at com.simba.athena.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1367)
at com.simba.athena.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1113)
at com.simba.athena.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:770)
at com.simba.athena.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:744)
at com.simba.athena.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:726)
at com.simba.athena.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:686)
at com.simba.athena.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:668)
at com.simba.athena.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:532)
at com.simba.athena.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:512)
at com.simba.athena.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1389)
at com.simba.athena.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1356)
at com.simba.athena.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1345)
at com.simba.athena.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:528)
at com.simba.athena.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:500)
at org.knime.cloud.aws.athena.connector.KNIMEAWSCredentialsProvider.getCredential(KNIMEAWSCredentialsProvider.java:123)
at org.knime.cloud.aws.athena.connector.KNIMEAWSCredentialsProvider.(KNIMEAWSCredentialsProvider.java:82)
… 17 more

Hi there @gpamukov,

just to check are you using pre-built driver or you added your own? If latter is the case then you should use DB Connector node as stated in node description.

Br,
Ivan

Hey @ipazin,

Thanks for your response. I’m using the built in driver (there is actually no option to use different one with the dedicated Athena connector).

Thanks and Best Regards,

Hi @gpamukov,

good to know. Then you need an expert

Br,
Ivan

Hi!
This part suggests that some information on the role to use for authentication and the account ID are missing:

This value should be arn:aws:iam::account-id:role/role-name-with-path. Can you make sure all info is set up correctly in the Amazon Authentication node and the Athena connector?
Kind regards
Alexander

Hey @AlexanderFillbrunn,
Thank you very much for your response.
Yes I believe everything is set properly. Role and account are not applicable here because we are using the Access Key/Secret Key option:
This is the authentication node (connection is successful when I test):

image412×618 13.9 KB

And this is the connector (failing with the exception above):

image669×565 15.6 KB

image670×561 10.7 KB

Am I missing something?
Thank you very much in advance!

Best Regards,

Hi gpamukov,

you also might need to switch the role when using the access key/secret key option. This option is independent of the way the access and secret key are obtained from.

Can you check if you are are able to browse the S3 file system using the Amazon S3 Connector and the List Remote Files node.

Thanks
Tobias

Hello @tobias.koetter,

I have the same issue on my workflow.
I’m using those nodes with access key et secret key.

We have tried few tricks but I’m still stuck with this error :

Caused by: java.lang.IllegalStateException: com.simba.athena.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:iam::833974495872:user/shoppingfeed-cloudformation is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::shopping-feed-testing:role/continuous (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 7fb2a531-45b7-4e83-af82-024a926b77a5)
at org.knime.cloud.aws.athena.connector.KNIMEAWSCredentialsProvider.(KNIMEAWSCredentialsProvider.java:84)

We’ve tried with the switch role button, who is an admin account, but we still can’t connect.

2020-06-17 10:36:17,377 : ERROR : KNIME-Worker-30-Amazon Athena Connector 2:2 : : Node : Amazon Athena Connector : 2:2 : Execute failed: [Simba]AthenaJDBC Failed to create AWS Credentials Provider class: org.knime.cloud.aws.athena.connector.KNIMEAWSCredentialsProvider.
java.sql.SQLException: [Simba]AthenaJDBC Failed to create AWS Credentials Provider class: org.knime.cloud.aws.athena.connector.KNIMEAWSCredentialsProvider.

I’ve done what you have written (browse S3 file system with S3 connector and list remote files) and I’m able to list those files.

So I don’t know what I can do now to solve this.

Thanks for your help.

Hello MathieuSF,
this is a problem in the authentication part of the Athena Connector node. It always tries to perform a role switch which fails in your case. We will fix this problem with the next KNIME release.
Until then you can use the DB Connector node and specify the required parameters via the JDBC Parameters tab.
Sorry for the inconveniences.
Bye
Tobias

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.