How to connect Datagrip with AWS Athena using an assumed role?

All we need is an easy explanation of the problem, so here it is.

I am able to make Athena queries through the AWS CLI. This requires me to assume a role first (I use awsume). The role requires MFA.

Now I want to configure Datagrip for this as well. However there are two options for authenticating:

  • User/pass – I can put in my AWS key ID and secret, but I think it would fail without the MFA token as well (there is no field for it in Datagrip 2021.1).
  • AWS profile – I figured out what to put into "Profile" – it’s the source_profile in my role’s profile in my ~/.aws/config. However, I can’t figure out what to put under User.

If I put in:

  • The name of the role’s profile
  • The name of the role
  • The ARN of the role
  • My AWS username
    They all fail with the error:

The specified database user/password combination is rejected: [HY000][100071] [Simba]AthenaJDBC An error has been thrown from the AWS Athena client. User: arn:aws:iam::[NUMBER]:user/[MYUSERNAME] is not authorized to perform: athena:ListDataCatalogs [Execution ID not available] User: arn:aws:iam::[NUMBER]:user/[MYUSERNAME] is not authorized to perform: athena:ListDataCatalogs (Service: AmazonAthena; Status Code: 400; Error Code: AccessDeniedException; Request ID: [UUID]; Proxy: null

I get this same error, with my username, even if I put in the role as a User in the Datagrip dialog box.

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

I ended up solving this by using a named profile in credentials.

awsume has an option to write the credentials to the file: awsume -o default role-profile-name will write them as [default] in ~/.aws/credentials.

Then in Datagrip, I configured the connection to use default as the profile. The username is apparently not used and can be anything (at least in my case).

For details, see

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply