Analyze Amazon DataZone subscribed data with external analytics applications via JDBC connection

Amazon DataZone enables data consumers to easily locate and subscribe to data from multiple sources within a single project and analyze this data using Amazon Athena, Amazon Redshift Query Editor, and Amazon SageMaker.

Amazon DataZone also supports authentication via the Athena JDBC driver that enables users to query their subscribed Amazon DataZone data using popular external SQL and analytics tools, such as SQL Workbench, DBeaver, Tableau, Domino, Power BI and many others. Users can authenticate using their corporate credentials through SSO or IAM and begin analyzing their subscribed data within their Amazon DataZone projects.

Amazon DataZone's support of the Athena JDBC driver provides the following benefits:

Greater tool choice for querying and visualization - data consumers can connect to Amazon DataZone using their preferred tools from a wide range of analytics tools that support a JDBC connection. This enables them to continue using the software they are familiar with without the need to learn new tools for data consumption.
Programmatic access - a JDBC connection to access-governed data via servers or custom applications enables data consumers to perform automated and more complex data operations.

You can use your JDBC URL to connect your external analytics tools to your Amazon DataZone subscribed data. To obtain your JDBC URL, perform the following procedure:

Important

In the current release, Amazon DataZone supports authentication using the Amazon Athena JDBC Driver. To complete this procedure, make sure that you have downloaded and installed the latest Athena JDBC driver for your analytics application of choice.

Navigate to the Amazon DataZone data portal URL and sign in using single sign-on (SSO) or your AWS credentials. If you’re an Amazon DataZone administrator, you can navigate to the Amazon DataZone console at https://console.aws.amazon.com/datazone and sign in with the AWS account where the domain was created, then choose Open data portal.
In the Amazon DataZone data portal, choose Browse Projects List and then find and choose the project where you have the data that you want to analyze.
In the right-hand side panel on the project's home page, choose Connect with JDBC.
In the JDBC parameters pop up window, choose your authentication method (SSO credentials or IAM credentials) and then copy the string or the individual parameters of the JDBC URL. You can then use it to connect to your external analytics application.

When you connect your external analytics application to Amazon DataZone using your JBDC query or parameters, you invoke the RedeemAccessToken API. The RedeemAccessToken API exchanges an Identity Center access token for the AmazonDataZoneDomainExecutionRole credentials, which are used to call the GetEnvironmentCredentials API.

For more information about the authentication mechanism that uses IAM credentials to connect to Amazon DataZone-governed data in Athena, see DataZone IAM Credentials Provider. For more information about the authentication mechanism that enables connecting to Amazon DataZone-governed data in Athena using IAM Identity Center, see DataZone Idc Credentials Provider.

RedeemAccessToken API Reference

Request syntax



POST /sso/redeem-token HTTP/1.1
Content-type: application/json

{
   "domainId": "string",
   "accessToken": "string"
}

Request parameters

The request uses the following parameters.

DomainId

The ID of the Amazon DataZone domain.

Pattern: ^dzd[-_][a-zA-Z0-9_-]{1,36}$

Required: yes

accessToken

The Identity Center access token.

Type: string

Required: yes

Response syntax



HTTP/1.1 200
Content-type: application/json

{
   "credentials": AwsCredentials
}

Response elements

credentials

The AmazonDataZoneDomainExecutionRole credentials that are used to call the GetEnvironmentCredentials API.

Type: Array of AwsCredentials objects. This data type includes the following properties:

accessKeyId: AccessKeyId
secretAccessKey: SecretAccessKey
sessionToken: SessionToken
expiration: Timestamp

accessToken

The Identity Center access token.

Type: string

Required: yes

Errors

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 403

ResourceNotFoundException

The specified resource cannot be found.

HTTP Status Code: 404

ValidationException

The input fails to satisfy the constraints specified by the AWS service.

HTTP Status Code: 400

InternalServerException

The request has failed because of an unknown error, exception or failure.

HTTP Status Code: 500

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Metadata enforcement rules for subscription requests

Fine-grained access control to data