Here’s a quick brain dump on common issues customers have been running into while playing around with the Tableau and Athena during the Tableau 10.3 beta:
I can’t see any of my databases in the database drop-down. All that’s there is AwsDataCatalog
In this scenario, there’s nothing actually wrong. The AWS Data Catalog is an internal metadata store that stores information and schemas about the databases and tables that you created for the data stored in S3. Just choose it, and move on:
After you’ve done so, you’ll find your databases in the Schema drop-down:
Note that Tableau has already changed the labels on these two dropdowns from “Database” and “Schema” to “Catalog” and “Database” for the final release of the product. That way folks are less likley to be confused. Here’s what it’ll look like:
com.tableausoftware.jdbc.TableauJDBCException: Exception while connecting to server. User: arn:aws:iam::[account number]:user/athena-user is not authorized to perform: athena:GetExecutionEngine (Service: AmazonAthena; Status Code: 400; Error Code: AccessDeniedException; Request ID: [guid])
There was a Java error
Unable to connect to the server “athena.[region].amazonaws.com”. Check that the server is running and that you have access privileges to the requested database.
EnumerateTables failed: nothing returned.
Whoops! You haven’t given the user in question (athena-user, in this case) permissions to actually use Athena. You need to do so by associating the AmazonAthenaFullAccess policy with the IAM user in question:
More information on this topic can be found here.
com.tableausoftware.jdbc.TableauJDBCException: Exception in runQuery for query: [SELECT statement goes here] Insufficient permissions to execute the query.
There was a Java error.
Are you sure the logged-in IAM user who is attempting to execute the viz has permissions on the s3 bucket (and/or folders) in which the data Athena is trying to read is stored? Doesn’t sound like it.
For example, my “athena-user” ran into the error above after I built the viz while logged in as the IAM user who actually owned the s3 bucket in which the “Athena data” lives. Moral of the story: just because it works for you doesn’t mean it’ll work for others. Add a bucket or user policy granting access to the resources. Below, I’ve created a user policy which resolved the error above for athena-user:
We need to be able to see the stuff in the bucket AND get it.
I am getting the permission after the report is published to server. The report runs successfully from desktop. What would be causing this to occur?
Difficult to say without the exact error message. Please post it?
Here is the error, but I replaced some values with where I felt it might be necessary :
com.tableausoftware.jdbc.TableauJDBCException: Exception while connecting to server.
User: arn:aws:iam:::user/ is not authorized to perform: athena:GetExecutionEngine (Service: AmazonAthena; Status Code: 400; Error Code: AccessDeniedException; Request ID: )
There was a Java error.
Unable to connect to the server “athena..amazonaws.com”. Check that the server is running and that you have access privileges to the requested database
Sounds like you might have forgotten to include (embed) the username/password when you published the workbook to Server.
Also, I assume you installed the driver itself on Server?
The driver is on the server and “Publish Type” is set to “Embedded in workbook” and “Authentication” is set to “Embedded password” for the Data Source. If I make the data source connection an Extract instead of Live then it works but the extract refresh fails with “Sign in failed”. If I try and edit the connection and click the “Test Connection” button with “Embedded password in connection” selected it give an error of “Could not connect to server”.
Weird, sounds like you have most of your bases covered. Is this an on-prem server or are you running Tableau on ec2? Perhaps you’re on a private subnet without a route to Athena (security groups, NAT / Route Tables?
In your shoes, the next thing I’d try is putting a copy Desktop on this box and see if I can connect from the console.