説明
Is your feature request related to a problem? Please describe. The Cubejs Athena driver supports only environment based credentials for permanent credentials according to what I see in the code (i.e. access and secret keys only). However, there are multiple ways to authenticate on AWS, including short-lived credentials that require not only access and security keys, but secret and session tokens. Forcing users to create long-lived credentials on their AWS account to support development or deployment of CubeJS doesn't seem the best way to go.
Describe the solution you'd like One solution is to modify the AthenaDriver credentials setup to use a credentials provider chain including the SharedIniFileCredentials:
const envCreds = new AWS.Credentials({
accessKeyId: process.env.CUBEJS_AWS_KEY,
secretAccessKey: process.env.CUBEJS_AWS_SECRET,
region: process.env.CUBEJS_AWS_REGION});
const ec2Credentials = new AWS.EC2MetadataCredentials();
const sharedCreds = new AWS.SharedIniFileCredentials({profile: process.env.CUBEJS_AWS_PROFILE});
const chain = new AWS.CredentialProviderChain();
chain.providers.push(sharedCreds);
chain.providers.push(ec2Credentials);
chain.providers.push(envCreds);
this.config = {
// accessKeyId: process.env.CUBEJS_AWS_KEY,
// secretAccessKey: process.env.CUBEJS_AWS_SECRET,
credentialProvider: chain,
This chain will try to acquire
- credentials from the user ~/.aws/credentials file using the CUBEJS_AWS_PROFILE profile
- credentials from the EC2 environment (when deployed on AWS, which means using the EC2 instance role)
- credentials from the process.env.CUBEJS_XXX vars as last fallback
Describe alternatives you've considered None for now.
Additional context