Learn more
 

How to Work with Okta Data in AWS Glue Jobs Using JDBC


Connect to Okta from AWS Glue jobs using the CData JDBC Driver hosted in Amazon S3.

AWS Glue is an ETL service from Amazon that allows you to easily prepare and load your data for storage and analytics. Using the PySpark module along with AWS Glue, you can create jobs that work with data over JDBC connectivity, loading the data directly into AWS data stores. In this article, we walk through uploading the CData JDBC Driver for Okta into an Amazon S3 bucket and creating and running an AWS Glue job to extract Okta data and store it in S3 as a CSV file.

Upload the CData JDBC Driver for Okta to an Amazon S3 Bucket

In order to work with the CData JDBC Driver for Okta in AWS Glue, you will need to store it (and any relevant license files) in an Amazon S3 bucket.

  1. Open the Amazon S3 Console.
  2. Select an existing bucket (or create a new one).
  3. Click Upload
  4. Select the JAR file (cdata.jdbc.okta.jar) found in the lib directory in the installation location for the driver.

Configure the Amazon Glue Job

  1. Navigate to ETL -> Jobs from the AWS Glue Console.
  2. Click Add Job to create a new Glue job.
  3. Fill in the Job properties:
    • Name: Fill in a name for the job, for example: OktaGlueJob.
    • IAM Role: Select (or create) an IAM role that has the AWSGlueServiceRole and AmazonS3FullAccess permissions policies. The latter policy is necessary to access both the JDBC Driver and the output destination in Amazon S3.
    • Type: Select "Spark".
    • Glue Version: Select "Spark 2.4, Python 3 (Glue Version 1.0)".
    • This job runs: Select "A new script to be authored by you".
      Populate the script properties:
      • Script file name: A name for the script file, for example: GlueOktaJDBC
      • S3 path where the script is stored: Fill in or browse to an S3 bucket.
      • Temporary directory: Fill in or browse to an S3 bucket.
    • Expand Security configuration, script libraries and job parameters (optional). For Dependent jars path, fill in or browse to the S3 bucket where you uploaded the JAR file. Be sure to include the name of the JAR file itself in the path, i.e.: s3://mybucket/cdata.jdbc.okta.jar
  4. Click Next. Here you will have the option to add connection to other AWS endpoints. So, if your Destination is Redshift, MySQL, etc, you can create and use connections to those data sources.
  5. Click "Save job and edit script" to create the job.
  6. In the editor that opens, write a python script for the job. You can use the sample script (see below) as an example.

Sample Glue Script

To connect to Okta using the CData JDBC driver, you will need to create a JDBC URL, populating the necessary connection properties. Additionally, you will need to set the RTK property in the JDBC URL (unless you are using a Beta driver). You can view the licensing file included in the installation for information on how to set this property.

To connect to Okta, set the Domain connection string property to your Okta domain.

You will use OAuth to authenticate with Okta, so you need to create a custom OAuth application.

Creating a Custom OAuth Application

From your Okta account:

  1. Sign in to your Okta developer edition organization with your administrator account.
  2. In the Admin Console, go to Applications > Applications.
  3. Click Create App Integration.
  4. For the Sign-in method, select OIDC - OpenID Connect.
  5. For Application type, choose Web Application.
  6. Enter a name for your custom application.
  7. Set the Grant Type to Authorization Code. If you want the token to be automatically refreshed, also check Refresh Token.
  8. Set the callback URL:
    • For desktop applications and headless machines, use http://localhost:33333 or another port number of your choice. The URI you set here becomes the CallbackURL property.
    • For web applications, set the callback URL to a trusted redirect URL. This URL is the web location the user returns to with the token that verifies that your application has been granted access.
  9. In the Assignments section, either select Limit access to selected groups and add a group, or skip group assignment for now.
  10. Save the OAuth application.
  11. The application's Client Id and Client Secret are displayed on the application's General tab. Record these for future use. You will use the Client Id to set the OAuthClientId and the Client Secret to set the OAuthClientSecret.
  12. Check the Assignments tab to confirm that all users who must access the application are assigned to the application.
  13. On the Okta API Scopes tab, select the scopes you wish to grant to the OAuth application. These scopes determine the data that the app has permission to read, so a scope for a particular view must be granted for the driver to have permission to query that view. To confirm the scopes required for each view, see the view-specific pages in Data Model < Views in the Help documentation.

Built-in Connection String Designer

For assistance in constructing the JDBC URL, use the connection string designer built into the Okta JDBC Driver. Either double-click the JAR file or execute the JAR file from the command-line.

java -jar cdata.jdbc.okta.jar

Fill in the connection properties and copy the connection string to the clipboard.

To host the JDBC driver in Amazon S3, you will need a license (full or trial) and a Runtime Key (RTK). For more information on obtaining this license (or a trial), contact our sales team.

Below is a sample script that uses the CData JDBC driver with the PySpark and AWSGlue modules to extract Okta data and write it to an S3 bucket in CSV format. Make any necessary changes to the script to suit your needs and save the job.

import sys from awsglue.transforms import * from awsglue.utils import getResolvedOptions from pyspark.context import SparkContext from awsglue.context import GlueContext from awsglue.dynamicframe import DynamicFrame from awsglue.job import Job args = getResolvedOptions(sys.argv, ['JOB_NAME']) sparkContext = SparkContext() glueContext = GlueContext(sparkContext) sparkSession = glueContext.spark_session ##Use the CData JDBC driver to read Okta data from the Users table into a DataFrame ##Note the populated JDBC URL and driver class name source_df = sparkSession.read.format("jdbc").option("url","jdbc:okta:RTK=5246...;Domain=dev-44876464.okta.com;").option("dbtable","Users").option("driver","cdata.jdbc.okta.OktaDriver").load() glueJob = Job(glueContext) glueJob.init(args['JOB_NAME'], args) ##Convert DataFrames to AWS Glue's DynamicFrames Object dynamic_dframe = DynamicFrame.fromDF(source_df, glueContext, "dynamic_df") ##Write the DynamicFrame as a file in CSV format to a folder in an S3 bucket. ##It is possible to write to any Amazon data store (SQL Server, Redshift, etc) by using any previously defined connections. retDatasink4 = glueContext.write_dynamic_frame.from_options(frame = dynamic_dframe, connection_type = "s3", connection_options = {"path": "s3://mybucket/outfiles"}, format = "csv", transformation_ctx = "datasink4") glueJob.commit()

Run the Glue Job

With the script written, we are ready to run the Glue job. Click Run Job and wait for the extract/load to complete. You can view the status of the job from the Jobs page in the AWS Glue Console. Once the Job has succeeded, you will have a CSV file in your S3 bucket with data from the Okta Users table.

Using the CData JDBC Driver for Okta in AWS Glue, you can easily create ETL jobs for Okta data, whether writing the data to an S3 bucket or loading it into any other AWS data store.

Ready to get started?

Download a free trial of the Okta Driver to get started:

 Download Now

Learn more:

Okta Icon Okta JDBC Driver

Rapidly create and deploy powerful Java applications that integrate with Okta.

In this article

Related articles