Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS Athena - Assume Role #2442

Closed
thatguyfig opened this issue Apr 29, 2024 · 2 comments
Closed

AWS Athena - Assume Role #2442

thatguyfig opened this issue Apr 29, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@thatguyfig
Copy link
Contributor

Description of Feature

Hi,

Currently in GrowthBook, one can configure an Athena Datasource, however this is a problem for multi-tenant uses of GrowthBook.

Currently with Athena, you have the option of:

  • Use auto-detect which leverages the instance's IAM instance profile to obtain credentials and interact with Athena, OR
  • You can use an IAM user created for programmatic access (secret key + access key) and embed them in the connection.

The above two will work fine, but I suggest a rework of this to allow for much more complicated permission setups.

The reason I say this is because:

  • with auto-detect this basically requires the IAM role to have access to everything it may need to query. Which as a shared resource could reveal datasets to users who should not have access to see those datasets. Currently you can only set a default database, which doesn't stop users querying other databases in Athena.
  • on the flip-side, managing access keys and secrets keys specifically for each connection is a major pain, not to mention all the fun involved with revoking those keys if they should be leaked. As you can probably imagine, this gets very complicated the more Athena connections you need - and rotating them regularly would be hard.

What would work much better?

I suggest a third option maybe named Assume Role which leverages the current IAM role (the same role found during auto-detect) and uses this role to assume another (the one supplied in connection setup) which performs an aws sts assume-role to get temporary credentials via STS. Once this is done, the temporary credentials can be used for the process to interact with Athena.

Ultimately, this means we can completely lock down the instance's role to talk with Athena, and only allow it to use Athena through specially provisioned roles, which restrict the resources it can operate on.

With this feature we could actually consider introducing the Athena datasource to our users.
@thatguyfig thatguyfig added the enhancement New feature or request label Apr 29, 2024
@cleaton
Copy link

cleaton commented May 2, 2024

This can be achieved with #2438

@thatguyfig thatguyfig mentioned this issue May 2, 2024
Merged
@thatguyfig
Copy link
Contributor Author

The in-review PR for this feature is here

@jdorn jdorn closed this as completed May 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cleaton @jdorn @thatguyfig