cube-js/cube

Allow dynamic assumeRoleArn in Athena driver config

Open

#10128 opened on Nov 11, 2025

View on GitHub
 (1 comment) (1 reaction) (0 assignees)Rust (19,563 stars) (1,965 forks)batch import
driver:athenahelp wanted

Description

Apologies if there is another way to do this, but I tried multiple approaches with no results..

Is your feature request related to a problem? Please describe. The Athena driver only reads assumeRoleArn from environment variables. In multi-tenant setups, it is not possible to pass a tenant-specific assume-role ARN via the driver config.

Describe the solution you'd like Allow the driver to accept assumeRoleArn (and optionally assumeRoleExternalId) from the driver config, prioritizing it over the environment variable. Example:

@config("driver_factory")
def driver_factory(context):
  return {
    type: 'athena',
    database: '...',
    assumeRoleArn: 'arn:aws:iam::123456789012:role/cube-tenant-XYZ',
    assumeRoleExternalId: 'optional-external-id',
    accessKeyId: '...',
    secretAccessKey: '...',
    region: 'us-east-1',
    S3OutputLocation: 's3://...',
  }

Describe alternatives you've considered I tried to generate the credentials externally and pass it to the driver but this is also not supported.

Additional context This change would simplify multi-tenant deployments where each tenant uses a unique Athena role.

Contributor guide

Tech stack
nodejsjavascriptaws
Domain
backenddatabasecloud
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
Basic knowledge of Cube.js driver systemFamiliarity with AWS Athena
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
Review the Athena driver implementation in Cube.js, specifically how it currently reads assumeRoleArn from environment variables. Look at the driver factory config handling in packages/cubejs athena driver. The feature request suggests adding config fields assumeRoleArn and assumeRoleExternalId, with priority over env vars. Check existing driver configuration patterns to ensure consistency. No linked PRs or assignees, so the issue is open for contribution.