When using AWS’s API for a number of APIs, you can use VPC endpoints to avoid exiting the private network to go to the public API endpoints.
See https://aws.amazon.com/about-aws/whats-new/2019/10/amazon-athena-now-provides-an-interface-VPC-endpoint/ and https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html.
In Python this is supported via the boto3
endpoint_url setting when creating a client.
It would be nice to be able to configure both the Athena and S3 endpoint URL in Redash to avoid public network transit from both a security and cost perspective.
Welcome to the forum and awesome idea! Would you like to have a try at implementing this change to the Athena query runner? I’m happy to answer any questions as you go.
I started to dig in a bit to see what impact it would have on the codebase and found it uses
pyathena and I am a bit concerned that it does not seem to differentiate between connection args for Athena vs S3. I’ll confirm my suspicious and open a ticket with them if that’s the case.
Great! I have it on my list to update all our S3 related connectors to support IAM auth, which will involve fiddling around with some of this code also. So if the change you suggest is pretty involved I may try to include it in that effort.