# Using a Cassandra client driver to access Amazon Keyspaces programmatically
You can use many third-party, open-source Cassandra drivers to connect to Amazon Keyspaces. Amazon Keyspaces is compatible with Cassandra drivers that support Apache Cassandra version 3.11.2. These are the drivers and latest versions that we’ve tested and recommend to use with Amazon Keyspaces:
+ `Java v3.3`
+ `Java v4.17`
+ `Python Cassandra-driver 3.29.1`
+ `Node.js cassandra driver -v 4.7.2`
+ `GO using GOCQL v1.6`
+ `.NET CassandraCSharpDriver -v 3.20.1`
For more information about Cassandra drivers, see [Apache Cassandra Client drivers](https://cassandra.apache.org/doc/stable/cassandra/getting-started/drivers.html).
**Note**
To help you get started, you can view and download end-to-end code examples that establish connections to Amazon Keyspaces with popular drivers. See [Amazon Keyspaces examples](https://github.com/aws-samples/amazon-keyspaces-examples) on GitHub.
The tutorials in this chapter include a simple CQL query to confirm that the connection to Amazon Keyspaces has been successfully established. To learn how to work with keyspaces and tables after you connect to an Amazon Keyspaces endpoint, see [CQL language reference for Amazon Keyspaces (for Apache Cassandra)](cql.md). For a step-by-step tutorial that shows how to connect to Amazon Keyspaces from an Amazon VPC endpoint, see [Tutorial: Connect to Amazon Keyspaces using an interface VPC endpoint](vpc-endpoints-tutorial.md).
**Topics**
+ [
# Using a Cassandra Java client driver to access Amazon Keyspaces programmatically
](using_java_driver.md)
+ [
# Using a Cassandra Python client driver to access Amazon Keyspaces programmatically
](using_python_driver.md)
+ [
# Using a Cassandra Node.js client driver to access Amazon Keyspaces programmatically
](using_nodejs_driver.md)
+ [
# Using a Cassandra .NET Core client driver to access Amazon Keyspaces programmatically
](using_dotnetcore_driver.md)
+ [
# Using a Cassandra Go client driver to access Amazon Keyspaces programmatically
](using_go_driver.md)
+ [
# Using a Cassandra Perl client driver to access Amazon Keyspaces programmatically
](using_perl_driver.md)
# Using a Cassandra Java client driver to access Amazon Keyspaces programmatically
This section shows you how to connect to Amazon Keyspaces by using a Java client driver.
**Note**
Java 17 and the DataStax Java Driver 4.17 are currently only in Beta support. For more information, see [https://docs.datastax.com/en/developer/java-driver/4.17/upgrade_guide/](https://docs.datastax.com/en/developer/java-driver/4.17/upgrade_guide/).
To provide users and applications with credentials for programmatic access to Amazon Keyspaces resources, you can do either of the following:
+ Create service-specific credentials that are associated with a specific AWS Identity and Access Management (IAM) user.
+ For enhanced security, we recommend to create IAM access keys for IAM identities that are used across all AWS services. The Amazon Keyspaces SigV4 authentication plugin for Cassandra client drivers enables you to authenticate calls to Amazon Keyspaces using IAM access keys instead of user name and password. For more information, see [Create and configure AWS credentials for Amazon Keyspaces](access.credentials.md).
**Note**
For an example how to use Amazon Keyspaces with Spring Boot, see [https://github.com/aws-samples/amazon-keyspaces-examples/tree/main/java/datastax-v4/spring](https://github.com/aws-samples/amazon-keyspaces-examples/tree/main/java/datastax-v4/spring).
**Topics**
+ [
## Before you begin
](#using_java_driver.BeforeYouBegin)
+ [
## Step-by-step tutorial to connect to Amazon Keyspaces using the DataStax Java driver for Apache Cassandra using service-specific credentials
](#java_tutorial)
+ [
## Step-by-step tutorial to connect to Amazon Keyspaces using the 4.x DataStax Java driver for Apache Cassandra and the SigV4 authentication plugin
](#java_tutorial.SigV4)
+ [
## Connect to Amazon Keyspaces using the 3.x DataStax Java driver for Apache Cassandra and the SigV4 authentication plugin
](#java3x_tutorial.SigV4)
## Before you begin
To connect to Amazon Keyspaces, you need to complete the following tasks before you can start.
1. Amazon Keyspaces requires the use of Transport Layer Security (TLS) to help secure connections with clients.
1. Download the following digital certificates and save the files locally or in your home directory.
1. AmazonRootCA1
1. AmazonRootCA2
1. AmazonRootCA3
1. AmazonRootCA4
1. Starfield Class 2 Root (optional – for backward compatibility)
To download the certificates, you can use the following commands.
```
curl -O https://www.amazontrust.com/repository/AmazonRootCA1.pem
curl -O https://www.amazontrust.com/repository/AmazonRootCA2.pem
curl -O https://www.amazontrust.com/repository/AmazonRootCA3.pem
curl -O https://www.amazontrust.com/repository/AmazonRootCA4.pem
curl -O https://certs.secureserver.net/repository/sf-class2-root.crt
```
**Note**
Amazon Keyspaces previously used TLS certificates anchored to the Starfield Class 2 CA. AWS is migrating all AWS Regions to certificates issued under Amazon Trust Services (Amazon Root CAs 1–4). During this transition, configure clients to trust both Amazon Root CAs 1–4 and the Starfield root to ensure compatibility across all Regions.
1. Convert the digital certificates into trustStore files and add them to the keystore.
```
openssl x509 -outform der -in AmazonRootCA1.pem -out temp_file.der
keytool -import -alias amazon-root-ca-1 -keystore cassandra_truststore.jks -file temp_file.der
openssl x509 -outform der -in AmazonRootCA2.pem -out temp_file.der
keytool -import -alias amazon-root-ca-2 -keystore cassandra_truststore.jks -file temp_file.der
openssl x509 -outform der -in AmazonRootCA3.pem -out temp_file.der
keytool -import -alias amazon-root-ca-3 -keystore cassandra_truststore.jks -file temp_file.der
openssl x509 -outform der -in AmazonRootCA4.pem -out temp_file.der
keytool -import -alias amazon-root-ca-4 -keystore cassandra_truststore.jks -file temp_file.der
openssl x509 -outform der -in sf-class2-root.crt -out temp_file.der
keytool -import -alias cassandra -keystore cassandra_truststore.jks -file temp_file.der
```
In the last step, you need to create a password for the keystore and trust each certificate. The interactive command looks like this.
```
Enter keystore password:
Re-enter new password:
Owner: CN=Amazon Root CA 1, O=Amazon, C=US
Issuer: CN=Amazon Root CA 1, O=Amazon, C=US
Serial number: 66c9fcf99bf8c0a39e2f0788a43e696365bca
Valid from: Tue May 26 00:00:00 UTC 2015 until: Sun Jan 17 00:00:00 UTC 2038
Certificate fingerprints:
SHA1: 8D:A7:F9:65:EC:5E:FC:37:91:0F:1C:6E:59:FD:C1:CC:6A:6E:DE:16
SHA256: 8E:CD:E6:88:4F:3D:87:B1:12:5B:A3:1A:C3:FC:B1:3D:70:16:DE:7F:57:CC:90:4F:E1:CB:97:C6:AE:98:19:6E
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 84 18 CC 85 34 EC BC 0C 94 94 2E 08 59 9C C7 B2 ....4.......Y...
0010: 10 4E 0A 08 .N..
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
Enter keystore password:
Owner: CN=Amazon Root CA 2, O=Amazon, C=US
Issuer: CN=Amazon Root CA 2, O=Amazon, C=US
Serial number: 66c9fd29635869f0a0fe58678f85b26bb8a37
Valid from: Tue May 26 00:00:00 UTC 2015 until: Sat May 26 00:00:00 UTC 2040
Certificate fingerprints:
SHA1: 5A:8C:EF:45:D7:A6:98:59:76:7A:8C:8B:44:96:B5:78:CF:47:4B:1A
SHA256: 1B:A5:B2:AA:8C:65:40:1A:82:96:01:18:F8:0B:EC:4F:62:30:4D:83:CE:C4:71:3A:19:C3:9C:01:1E:A4:6D:B4
Signature algorithm name: SHA384withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: B0 0C F0 4C 30 F4 05 58 02 48 FD 33 E5 52 AF 4B ...L0..X.H.3.R.K
0010: 84 E3 66 52 ..fR
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
Enter keystore password:
Owner: CN=Amazon Root CA 3, O=Amazon, C=US
Issuer: CN=Amazon Root CA 3, O=Amazon, C=US
Serial number: 66c9fd5749736663f3b0b9ad9e89e7603f24a
Valid from: Tue May 26 00:00:00 UTC 2015 until: Sat May 26 00:00:00 UTC 2040
Certificate fingerprints:
SHA1: 0D:44:DD:8C:3C:8C:1A:1A:58:75:64:81:E9:0F:2E:2A:FF:B3:D2:6E
SHA256: 18:CE:6C:FE:7B:F1:4E:60:B2:E3:47:B8:DF:E8:68:CB:31:D0:2E:BB:3A:DA:27:15:69:F5:03:43:B4:6D:B3:A4
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 256-bit EC (secp256r1) key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AB B6 DB D7 06 9E 37 AC 30 86 07 91 70 C7 9C C4 ......7.0...p...
0010: 19 B1 78 C0 ..x.
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
Enter keystore password:
Owner: CN=Amazon Root CA 4, O=Amazon, C=US
Issuer: CN=Amazon Root CA 4, O=Amazon, C=US
Serial number: 66c9fd7c1bb104c2943e5717b7b2cc81ac10e
Valid from: Tue May 26 00:00:00 UTC 2015 until: Sat May 26 00:00:00 UTC 2040
Certificate fingerprints:
SHA1: F6:10:84:07:D6:F8:BB:67:98:0C:C2:E2:44:C2:EB:AE:1C:EF:63:BE
SHA256: E3:5D:28:41:9E:D0:20:25:CF:A6:90:38:CD:62:39:62:45:8D:A5:C6:95:FB:DE:A3:C2:2B:0B:FB:25:89:70:92
Signature algorithm name: SHA384withECDSA
Subject Public Key Algorithm: 384-bit EC (secp384r1) key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D3 EC C7 3A 65 6E CC E1 DA 76 9A 56 FB 9C F3 86 ...:en...v.V....
0010: 6D 57 E5 81 mW..
]
]
Trust this certificate? [no]: yes
Certificate was added to keystore
Enter keystore password:
Owner: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
Issuer: OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US
Serial number: 0
Valid from: Tue Jun 29 17:39:16 UTC 2004 until: Thu Jun 29 17:39:16 UTC 2034
Certificate fingerprints:
SHA1: AD:7E:1C:28:B0:64:EF:8F:60:03:40:20:14:C3:D0:E3:37:0E:B5:8A
SHA256: 14:65:FA:20:53:97:B8:76:FA:A6:F0:A9:95:8E:55:90:E4:0F:CC:7F:AA:4F:B7:C2:C8:67:75:21:FB:5F:B6:58
Signature algorithm name: SHA1withRSA (weak)
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: BF 5F B7 D1 CE DD 1F 86 F4 5B 55 AC DC D7 10 C2 ._.......[U.....
0010: 0E A9 88 E7 ....
]
[OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US]
SerialNumber: [ 00]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BF 5F B7 D1 CE DD 1F 86 F4 5B 55 AC DC D7 10 C2 ._.......[U.....
0010: 0E A9 88 E7 ....
]
]
Warning:
The input uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.
Trust this certificate? [no]: yes
Certificate was added to keystore
```
1. Attach the trustStore file in the JVM arguments:
```
-Djavax.net.ssl.trustStore=path_to_file/cassandra_truststore.jks
-Djavax.net.ssl.trustStorePassword=my_password
```
## Step-by-step tutorial to connect to Amazon Keyspaces using the DataStax Java driver for Apache Cassandra using service-specific credentials
The following step-by-step tutorial walks you through connecting to Amazon Keyspaces using a Java driver for Cassandra using service-specific credentials. Specifically, you'll use the 4.0 version of the DataStax Java driver for Apache Cassandra.
**Topics**
+ [
### Step 1: Prerequisites
](#java_tutorial.prereq)
+ [
### Step 2: Configure the driver
](#java_tutorial.driverconfiguration)
+ [
### Step 3: Run the sample application
](#java_tutorial.application)
### Step 1: Prerequisites
To follow this tutorial, you need to generate service-specific credentials and add the DataStax Java driver for Apache Cassandra to your Java project.
+ Generate service-specific credentials for your Amazon Keyspaces IAM user by completing the steps in [Create service-specific credentials for programmatic access to Amazon Keyspaces](programmatic.credentials.ssc.md). If you prefer to use IAM access keys for authentication, see [Step-by-step tutorial to connect to Amazon Keyspaces using the 4.x DataStax Java driver for Apache Cassandra and the SigV4 authentication plugin](#java_tutorial.SigV4).
+ Add the DataStax Java driver for Apache Cassandra to your Java project. Ensure that you're using a version of the driver that supports Apache Cassandra 3.11.2. For more information, see the [DataStax Java driver for Apache Cassandra documentation](https://github.com/datastax/java-driver).
### Step 2: Configure the driver
You can specify settings for the DataStax Java Cassandra driver by creating a configuration file for your application. This configuration file overrides the default settings and tells the driver to connect to the Amazon Keyspaces service endpoint using port 9142. For a list of available service endpoints, see [Service endpoints for Amazon Keyspaces](programmatic.endpoints.md).
Create a configuration file and save the file in the application's resources folder—for example, `src/main/resources/application.conf`. Open `application.conf` and add the following configuration settings.
1. **Authentication provider** – Create the authentication provider with the `PlainTextAuthProvider` class. *ServiceUserName* and *ServicePassword* should match the user name and password you obtained when you generated the service-specific credentials by following the steps in [Create service-specific credentials for programmatic access to Amazon Keyspaces](programmatic.credentials.ssc.md).
**Note**
You can use short-term credentials by using the authentication plugin for the DataStax Java driver for Apache Cassandra instead of hardcoding credentials in your driver configuration file. To learn more, follow the instructions for the [Step-by-step tutorial to connect to Amazon Keyspaces using the 4.x DataStax Java driver for Apache Cassandra and the SigV4 authentication plugin](#java_tutorial.SigV4).
1. **Local data center** – Set the value for `local-datacenter` to the Region you're connecting to. For example, if the application is connecting to `cassandra.us-east-2.amazonaws.com`, then set the local data center to `us-east-2`. For all available AWS Regions, see [Service endpoints for Amazon Keyspaces](programmatic.endpoints.md). Set `slow-replica-avoidance = false` to load balance against fewer nodes.
1. **SSL/TLS** – Initialize the SSLEngineFactory by adding a section in the configuration file with a single line that specifies the class with `class = DefaultSslEngineFactory`. Provide the path to the trustStore file and the password that you created previously. Amazon Keyspaces doesn't support `hostname-validation` of peers, so set this option to false.
```
datastax-java-driver {
basic.contact-points = [ "cassandra.us-east-2.amazonaws.com:9142"]
advanced.auth-provider{
class = PlainTextAuthProvider
username = "ServiceUserName"
password = "ServicePassword"
}
basic.load-balancing-policy {
local-datacenter = "us-east-2"
slow-replica-avoidance = false
}
advanced.ssl-engine-factory {
class = DefaultSslEngineFactory
truststore-path = "./src/main/resources/cassandra_truststore.jks"
truststore-password = "my_password"
hostname-validation = false
}
}
```
**Note**
Instead of adding the path to the trustStore in the configuration file, you can also add the trustStore path directly in the application code or you can add the path to the trustStore to your JVM arguments.
### Step 3: Run the sample application
This code example shows a simple command line application that creates a connection pool to Amazon Keyspaces by using the configuration file we created earlier. It confirms that the connection is established by running a simple query.
```
package ;
// add the following imports to your project
import com.datastax.oss.driver.api.core.CqlSession;
import com.datastax.oss.driver.api.core.config.DriverConfigLoader;
import com.datastax.oss.driver.api.core.cql.ResultSet;
import com.datastax.oss.driver.api.core.cql.Row;
public class App
{
public static void main( String[] args )
{
//Use DriverConfigLoader to load your configuration file
DriverConfigLoader loader = DriverConfigLoader.fromClasspath("application.conf");
try (CqlSession session = CqlSession.builder()
.withConfigLoader(loader)
.build()) {
ResultSet rs = session.execute("select * from system_schema.keyspaces");
Row row = rs.one();
System.out.println(row.getString("keyspace_name"));
}
}
}
```
**Note**
Use a `try` block to establish the connection to ensure that it's always closed. If you don't use a `try` block, remember to close your connection to avoid leaking resources.
## Step-by-step tutorial to connect to Amazon Keyspaces using the 4.x DataStax Java driver for Apache Cassandra and the SigV4 authentication plugin
The following section describes how to use the SigV4 authentication plugin for the open-source 4.x DataStax Java driver for Apache Cassandra to access Amazon Keyspaces (for Apache Cassandra). The plugin is available from the [GitHub repository](https://github.com/aws/aws-sigv4-auth-cassandra-java-driver-plugin).
The SigV4 authentication plugin allows you to use IAM credentials for users or roles when connecting to Amazon Keyspaces. Instead of requiring a user name and password, this plugin signs API requests using access keys. For more information, see [Create and configure AWS credentials for Amazon Keyspaces](access.credentials.md).
### Step 1: Prerequisites
To follow this tutorial, you need to complete the following tasks.
+ If you haven't already done so, create credentials for your IAM user or role following the steps at [Create and configure AWS credentials for Amazon Keyspaces](access.credentials.md). This tutorial assumes that the access keys are stored as environment variables. For more information, see [Store access keys for programmatic access](aws.credentials.manage.md).
+ Add the DataStax Java driver for Apache Cassandra to your Java project. Ensure that you're using a version of the driver that supports Apache Cassandra 3.11.2. For more information, see the [DataStax Java Driver for Apache Cassandra documentation](https://github.com/datastax/java-driver).
+ Add the authentication plugin to your application. The authentication plugin supports version 4.x of the DataStax Java driver for Apache Cassandra. If you’re using Apache Maven, or a build system that can use Maven dependencies, add the following dependencies to your `pom.xml` file.
**Important**
Replace the version of the plugin with the latest version as shown at [GitHub repository](https://github.com/aws/aws-sigv4-auth-cassandra-java-driver-plugin#add-the-authentication-plugin-to-the-application).
```
software.aws.mcs
aws-sigv4-auth-cassandra-java-driver-plugin
4.0.9
```
### Step 2: Configure the driver
You can specify settings for the DataStax Java Cassandra driver by creating a configuration file for your application. This configuration file overrides the default settings and tells the driver to connect to the Amazon Keyspaces service endpoint using port 9142. For a list of available service endpoints, see [Service endpoints for Amazon Keyspaces](programmatic.endpoints.md).
Create a configuration file and save the file in the application's resources folder—for example, `src/main/resources/application.conf`. Open `application.conf` and add the following configuration settings.
1. **Authentication provider** – Set the `advanced.auth-provider.class` to a new instance of `software.aws.mcs.auth.SigV4AuthProvider`. The SigV4AuthProvider is the authentication handler provided by the plugin for performing SigV4 authentication.
1. **Local data center** – Set the value for `local-datacenter` to the Region you're connecting to. For example, if the application is connecting to `cassandra.us-east-2.amazonaws.com`, then set the local data center to `us-east-2`. For all available AWS Regions, see [Service endpoints for Amazon Keyspaces](programmatic.endpoints.md). Set `slow-replica-avoidance = false` to load balance against all available nodes.
1. **Idempotence** – Set the default `idempotence` for the application to `true` to configure the driver to always retry failed read/write/prepare/execute requests. This is a best practice for distributed applications that helps to handle transient failures by retrying failed requests.
1. **SSL/TLS** – Initialize the SSLEngineFactory by adding a section in the configuration file with a single line that specifies the class with `class = DefaultSslEngineFactory`. Provide the path to the trustStore file and the password that you created previously. Amazon Keyspaces doesn't support `hostname-validation` of peers, so set this option to false.
1. **Connections** – Create at least 3 local connections per endpoint by setting `local.size = 3`. This is a best practice that helps your application to handle overhead and traffic bursts. For more information about how to calculate how many local connections per endpoint your application needs based on expected traffic patterns, see [How to configure connections in Amazon Keyspaces](connections.md#connections.howtoconfigure).
1. **Retry policy** – Implement the Amazon Keyspaces retry policy `AmazonKeyspacesExponentialRetryPolicy` instead of the `DefaultRetryPolicy` that comes with the Cassandra driver. This allows you to configure the number of retry attempts for the `AmazonKeyspacesExponentialRetryPolicy` that meets your needs. By default, the number of retry attempts for the `AmazonKeyspacesExponentialRetryPolicy` is set to 3. For more information, see [How to configure the retry policy for connections in Amazon Keyspaces](connections.md#connections.retry-policies).
1. **Prepared statements** – Set `prepare-on-all-nodes` to false to optimize network usage.
```
datastax-java-driver {
basic {
contact-points = [ "cassandra.us-east-2.amazonaws.com:9142"]
request {
timeout = 2 seconds
consistency = LOCAL_QUORUM
page-size = 1024
default-idempotence = true
}
load-balancing-policy {
local-datacenter = "us-east-2"
class = DefaultLoadBalancingPolicy
slow-replica-avoidance = false
}
}
advanced {
auth-provider {
class = software.aws.mcs.auth.SigV4AuthProvider
aws-region = us-east-2
}
ssl-engine-factory {
class = DefaultSslEngineFactory
truststore-path = "./src/main/resources/cassandra_truststore.jks"
truststore-password = "my_password"
hostname-validation = false
}
connection {
connect-timeout = 5 seconds
max-requests-per-connection = 512
pool {
local.size = 3
}
}
retry-policy {
class = com.aws.ssa.keyspaces.retry.AmazonKeyspacesExponentialRetryPolicy
max-attempts = 3
min-wait = 10 mills
max-wait = 100 mills
}
prepared-statements {
prepare-on-all-nodes = false
}
}
}
```
**Note**
Instead of adding the path to the trustStore in the configuration file, you can also add the trustStore path directly in the application code or you can add the path to the trustStore to your JVM arguments.
### Step 3: Run the application
This code example shows a simple command line application that creates a connection pool to Amazon Keyspaces by using the configuration file we created earlier. It confirms that the connection is established by running a simple query.
```
package ;
// add the following imports to your project
import com.datastax.oss.driver.api.core.CqlSession;
import com.datastax.oss.driver.api.core.config.DriverConfigLoader;
import com.datastax.oss.driver.api.core.cql.ResultSet;
import com.datastax.oss.driver.api.core.cql.Row;
public class App
{
public static void main( String[] args )
{
//Use DriverConfigLoader to load your configuration file
DriverConfigLoader loader = DriverConfigLoader.fromClasspath("application.conf");
try (CqlSession session = CqlSession.builder()
.withConfigLoader(loader)
.build()) {
ResultSet rs = session.execute("select * from system_schema.keyspaces");
Row row = rs.one();
System.out.println(row.getString("keyspace_name"));
}
}
}
```
**Note**
Use a `try` block to establish the connection to ensure that it's always closed. If you don't use a `try` block, remember to close your connection to avoid leaking resources.
## Connect to Amazon Keyspaces using the 3.x DataStax Java driver for Apache Cassandra and the SigV4 authentication plugin
The following section describes how to use the SigV4 authentication plugin for the 3.x open-source DataStax Java driver for Apache Cassandra to access Amazon Keyspaces. The plugin is available from the [GitHub repository](https://github.com/aws/aws-sigv4-auth-cassandra-java-driver-plugin/tree/3.x-Driver-Compatible).
The SigV4 authentication plugin allows you to use IAM credentials for users and roles when connecting to Amazon Keyspaces. Instead of requiring a user name and password, this plugin signs API requests using access keys. For more information, see [Create and configure AWS credentials for Amazon Keyspaces](access.credentials.md).
### Step 1: Prerequisites
To run this code sample, you first need to complete the following tasks.
+ Create credentials for your IAM user or role following the steps at [Create and configure AWS credentials for Amazon Keyspaces](access.credentials.md). This tutorial assumes that the access keys are stored as environment variables. For more information, see [Store access keys for programmatic access](aws.credentials.manage.md).
+ Follow the steps at [Before you begin](#using_java_driver.BeforeYouBegin) to download the digital certificates, convert them to trustStore files, and attach the keystore in the JVM arguments to your application.
+ Add the DataStax Java driver for Apache Cassandra to your Java project. Ensure that you're using a version of the driver that supports Apache Cassandra 3.11.2. For more information, see the [DataStax Java Driver for Apache Cassandra documentation](https://github.com/datastax/java-driver).
+ Add the authentication plugin to your application. The authentication plugin supports version 3.x of the DataStax Java driver for Apache Cassandra. If you’re using Apache Maven, or a build system that can use Maven dependencies, add the following dependencies to your `pom.xml` file. Replace the version of the plugin with the latest version as shown at [GitHub repository](https://github.com/aws/aws-sigv4-auth-cassandra-java-driver-plugin/tree/3.x-Driver-Compatible).
```
software.aws.mcs
aws-sigv4-auth-cassandra-java-driver-plugin_3
3.0.3
```
### Step 2: Run the application
This code example shows a simple command line application that creates a connection pool to Amazon Keyspaces. It confirms that the connection is established by running a simple query.
```
package ;
// add the following imports to your project
import software.aws.mcs.auth.SigV4AuthProvider;
import com.datastax.driver.core.Cluster;
import com.datastax.driver.core.ResultSet;
import com.datastax.driver.core.Row;
import com.datastax.driver.core.Session;
public class App
{
public static void main( String[] args )
{
String endPoint = "cassandra.us-east-2.amazonaws.com";
int portNumber = 9142;
Session session = Cluster.builder()
.addContactPoint(endPoint)
.withPort(portNumber)
.withAuthProvider(new SigV4AuthProvider("us-east-2"))
.withSSL()
.build()
.connect();
ResultSet rs = session.execute("select * from system_schema.keyspaces");
Row row = rs.one();
System.out.println(row.getString("keyspace_name"));
}
}
```
Usage notes:
For a list of available endpoints, see [Service endpoints for Amazon Keyspaces](programmatic.endpoints.md).
See the following repository for helpful Java driver policies, examples, and best practices when using the Java Driver with Amazon Keyspaces: [https://github.com/aws-samples/amazon-keyspaces-java-driver-helpers](https://github.com/aws-samples/amazon-keyspaces-java-driver-helpers).
# Using a Cassandra Python client driver to access Amazon Keyspaces programmatically
In this section, we show you how to connect to Amazon Keyspaces using a Python client driver. To provide users and applications with credentials for programmatic access to Amazon Keyspaces resources, you can do either of the following:
+ Create service-specific credentials that are associated with a specific AWS Identity and Access Management (IAM) user.
+ For enhanced security, we recommend to create IAM access keys for IAM users or roles that are used across all AWS services. The Amazon Keyspaces SigV4 authentication plugin for Cassandra client drivers enables you to authenticate calls to Amazon Keyspaces using IAM access keys instead of user name and password. For more information, see [Create and configure AWS credentials for Amazon Keyspaces](access.credentials.md).
**Topics**
+ [
## Before you begin
](#using_python_driver.BeforeYouBegin)
+ [
## Connect to Amazon Keyspaces using the Python driver for Apache Cassandra and service-specific credentials
](#python_ssc)
+ [
## Connect to Amazon Keyspaces using the DataStax Python driver for Apache Cassandra and the SigV4 authentication plugin
](#python_SigV4)
## Before you begin
You need to complete the following task before you can start.
Amazon Keyspaces requires the use of Transport Layer Security (TLS) to help secure connections with clients. To connect to Amazon Keyspaces using TLS, you need to download Amazon digital certificates and configure the Python driver to use TLS.
Download the following digital certificates and save the files locally or in your home directory.
1. AmazonRootCA1
1. AmazonRootCA2
1. AmazonRootCA3
1. AmazonRootCA4
1. Starfield Class 2 Root (optional – for backward compatibility)
To download the certificates, you can use the following commands.
```
curl -O https://www.amazontrust.com/repository/AmazonRootCA1.pem
curl -O https://www.amazontrust.com/repository/AmazonRootCA2.pem
curl -O https://www.amazontrust.com/repository/AmazonRootCA3.pem
curl -O https://www.amazontrust.com/repository/AmazonRootCA4.pem
curl -O https://certs.secureserver.net/repository/sf-class2-root.crt
```
**Note**
Amazon Keyspaces previously used TLS certificates anchored to the Starfield Class 2 CA. AWS is migrating all AWS Regions to certificates issued under Amazon Trust Services (Amazon Root CAs 1–4). During this transition, configure clients to trust both Amazon Root CAs 1–4 and the Starfield root to ensure compatibility across all Regions.
Combine all downloaded certificates into a single `pem` file with the name *keyspaces-bundle.pem* in our examples. You can do this by running the following command. Take note of the path to the file, you need this later.
```
cat AmazonRootCA1.pem \
AmazonRootCA2.pem \
AmazonRootCA3.pem \
AmazonRootCA4.pem \
sf-class2-root.crt \
> keyspaces-bundle.pem
```
## Connect to Amazon Keyspaces using the Python driver for Apache Cassandra and service-specific credentials
The following code example shows you how to connect to Amazon Keyspaces with a Python client driver and service-specific credentials.
```
from cassandra.cluster import Cluster
from ssl import SSLContext, PROTOCOL_TLSv1_2 , CERT_REQUIRED
from cassandra.auth import PlainTextAuthProvider
ssl_context = SSLContext(PROTOCOL_TLSv1_2 )
ssl_context.load_verify_locations('path_to_file/keyspaces-bundle.pem')
ssl_context.verify_mode = CERT_REQUIRED
auth_provider = PlainTextAuthProvider(username='ServiceUserName', password='ServicePassword')
cluster = Cluster(['cassandra.us-east-2.amazonaws.com'], ssl_context=ssl_context, auth_provider=auth_provider, port=9142)
session = cluster.connect()
r = session.execute('select * from system_schema.keyspaces')
print(r.current_rows)
```
Usage notes:
1. Replace `"path_to_file/keyspaces-bundle.pem"` with the path to the combined certificate file saved in the first step.
1. Ensure that the *ServiceUserName* and *ServicePassword* match the user name and password you obtained when you generated the service-specific credentials by following the steps to [Create service-specific credentials for programmatic access to Amazon Keyspaces](programmatic.credentials.ssc.md).
1. For a list of available endpoints, see [Service endpoints for Amazon Keyspaces](programmatic.endpoints.md).
## Connect to Amazon Keyspaces using the DataStax Python driver for Apache Cassandra and the SigV4 authentication plugin
The following section shows how to use the SigV4 authentication plugin for the open-source DataStax Python driver for Apache Cassandra to access Amazon Keyspaces (for Apache Cassandra).
If you haven't already done so, begin with creating credentials for your IAM role following the steps at [Create and configure AWS credentials for Amazon Keyspaces](access.credentials.md). This tutorial uses temporary credentials, which requires an IAM role. For more information about temporary credentials, see [Create temporary credentials to connect to Amazon Keyspaces using an IAM role and the SigV4 plugin](temporary.credentials.IAM.md).
Then, add the Python SigV4 authentication plugin to your environment from the [GitHub repository](https://github.com/aws/aws-sigv4-auth-cassandra-python-driver-plugin).
```
pip install cassandra-sigv4
```
The following code example shows how to connect to Amazon Keyspaces by using the open-source DataStax Python driver for Cassandra and the SigV4 authentication plugin. The plugin depends on the AWS SDK for Python (Boto3). It uses `boto3.session` to obtain temporary credentials.
```
from cassandra.cluster import Cluster
from ssl import SSLContext, PROTOCOL_TLSv1_2 , CERT_REQUIRED
from cassandra.auth import PlainTextAuthProvider
import boto3
from cassandra_sigv4.auth import SigV4AuthProvider
ssl_context = SSLContext(PROTOCOL_TLSv1_2)
ssl_context.load_verify_locations('path_to_file/keyspaces-bundle.pem')
ssl_context.verify_mode = CERT_REQUIRED
# use this if you want to use Boto to set the session parameters.
boto_session = boto3.Session(aws_access_key_id="AKIAIOSFODNN7EXAMPLE",
aws_secret_access_key="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
aws_session_token="AQoDYXdzEJr...",
region_name="us-east-2")
auth_provider = SigV4AuthProvider(boto_session)
# Use this instead of the above line if you want to use the Default Credentials and not bother with a session.
# auth_provider = SigV4AuthProvider()
cluster = Cluster(['cassandra.us-east-2.amazonaws.com'], ssl_context=ssl_context, auth_provider=auth_provider,
port=9142)
session = cluster.connect()
r = session.execute('select * from system_schema.keyspaces')
print(r.current_rows)
```
Usage notes:
1. Replace `"path_to_file/keyspaces-bundle.pem"` with the path to the certificate saved in the first step.
1. Ensure that the *aws\$1access\$1key\$1id*, *aws\$1secret\$1access\$1key*, and the *aws\$1session\$1token* match the `Access Key`, `Secret Access Key`, and `Session Token` you obtained using `boto3.session`. For more information, see [Credentials](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html) in the *AWS SDK for Python (Boto3)*.
1. For a list of available endpoints, see [Service endpoints for Amazon Keyspaces](programmatic.endpoints.md).
# Using a Cassandra Node.js client driver to access Amazon Keyspaces programmatically
This section shows you how to connect to Amazon Keyspaces by using a Node.js client driver. To provide users and applications with credentials for programmatic access to Amazon Keyspaces resources, you can do either of the following:
+ Create service-specific credentials that are associated with a specific AWS Identity and Access Management (IAM) user.
+ For enhanced security, we recommend to create IAM access keys for IAM users or roles that are used across all AWS services. The Amazon Keyspaces SigV4 authentication plugin for Cassandra client drivers enables you to authenticate calls to Amazon Keyspaces using IAM access keys instead of user name and password. For more information, see [Create and configure AWS credentials for Amazon Keyspaces](access.credentials.md).
**Topics**
+ [
## Before you begin
](#using_nodejs_driver.BeforeYouBegin)
+ [
## Connect to Amazon Keyspaces using the Node.js DataStax driver for Apache Cassandra and service-specific credentials
](#nodejs_ssc)
+ [
## Connect to Amazon Keyspaces using the DataStax Node.js driver for Apache Cassandra and the SigV4 authentication plugin
](#nodejs_SigV4)
## Before you begin
You need to complete the following task before you can start.
Amazon Keyspaces requires the use of Transport Layer Security (TLS) to help secure connections with clients. To connect to Amazon Keyspaces using TLS, you need to download an Amazon digital certificate and configure the Python driver to use TLS.
Download the following digital certificates and save the files locally or in your home directory.
1. AmazonRootCA1
1. AmazonRootCA2
1. AmazonRootCA3
1. AmazonRootCA4
1. Starfield Class 2 Root (optional – for backward compatibility)
To download the certificates, you can use the following commands.
```
curl -O https://www.amazontrust.com/repository/AmazonRootCA1.pem
curl -O https://www.amazontrust.com/repository/AmazonRootCA2.pem
curl -O https://www.amazontrust.com/repository/AmazonRootCA3.pem
curl -O https://www.amazontrust.com/repository/AmazonRootCA4.pem
curl -O https://certs.secureserver.net/repository/sf-class2-root.crt
```
**Note**
Amazon Keyspaces previously used TLS certificates anchored to the Starfield Class 2 CA. AWS is migrating all AWS Regions to certificates issued under Amazon Trust Services (Amazon Root CAs 1–4). During this transition, configure clients to trust both Amazon Root CAs 1–4 and the Starfield root to ensure compatibility across all Regions.
Combine all downloaded certificates into a single `pem` file with the name *keyspaces-bundle.pem* in our examples. You can do this by running the following command. Take note of the path to the file, you need this later.
```
cat AmazonRootCA1.pem \
AmazonRootCA2.pem \
AmazonRootCA3.pem \
AmazonRootCA4.pem \
sf-class2-root.crt \
> keyspaces-bundle.pem
```
## Connect to Amazon Keyspaces using the Node.js DataStax driver for Apache Cassandra and service-specific credentials
Configure your driver to use the combined certificate file `keyspaces-bundle.pem` for TLS and authenticate using service-specific credentials. For example:
```
const cassandra = require('cassandra-driver');
const fs = require('fs');
const auth = new cassandra.auth.PlainTextAuthProvider('ServiceUserName', 'ServicePassword');
const sslOptions1 = {
ca: [
fs.readFileSync('path_to_file/keyspaces-bundle.pem', 'utf-8')],
host: 'cassandra.us-west-2.amazonaws.com',
rejectUnauthorized: true
};
const client = new cassandra.Client({
contactPoints: ['cassandra.us-west-2.amazonaws.com'],
localDataCenter: 'us-west-2',
authProvider: auth,
sslOptions: sslOptions1,
protocolOptions: { port: 9142 }
});
const query = 'SELECT * FROM system_schema.keyspaces';
client.execute(query)
.then( result => console.log('Row from Keyspaces %s', result.rows[0]))
.catch( e=> console.log(`${e}`));
```
Usage notes:
1. Replace `"path_to_file/keyspaces-bundle.pem"` with the path to the combined certificate file saved in the first step.
1. Ensure that the *ServiceUserName* and *ServicePassword* match the user name and password you obtained when you generated the service-specific credentials by following the steps to [Create service-specific credentials for programmatic access to Amazon Keyspaces](programmatic.credentials.ssc.md).
1. For a list of available endpoints, see [Service endpoints for Amazon Keyspaces](programmatic.endpoints.md).
## Connect to Amazon Keyspaces using the DataStax Node.js driver for Apache Cassandra and the SigV4 authentication plugin
The following section shows how to use the SigV4 authentication plugin for the open-source DataStax Node.js driver for Apache Cassandra to access Amazon Keyspaces (for Apache Cassandra).
If you haven't already done so, create credentials for your IAM user or role following the steps at [Create and configure AWS credentials for Amazon Keyspaces](access.credentials.md).
Add the Node.js SigV4 authentication plugin to your application from the [GitHub repository](https://github.com/aws/aws-sigv4-auth-cassandra-nodejs-driver-plugin). The plugin supports version 4.x of the DataStax Node.js driver for Cassandra and depends on the AWS SDK for Node.js. It uses `AWSCredentialsProvider` to obtain credentials.
```
$ npm install aws-sigv4-auth-cassandra-plugin --save
```
This code example shows how to set a Region-specific instance of `SigV4AuthProvider` as the authentication provider.
```
const cassandra = require('cassandra-driver');
const fs = require('fs');
const sigV4 = require('aws-sigv4-auth-cassandra-plugin');
const auth = new sigV4.SigV4AuthProvider({
region: 'us-west-2',
accessKeyId:'AKIAIOSFODNN7EXAMPLE',
secretAccessKey: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'});
const sslOptions1 = {
ca: [
fs.readFileSync('path_to_file/keyspaces-bundle.pem', 'utf-8')],
host: 'cassandra.us-west-2.amazonaws.com',
rejectUnauthorized: true
};
const client = new cassandra.Client({
contactPoints: ['cassandra.us-west-2.amazonaws.com'],
localDataCenter: 'us-west-2',
authProvider: auth,
sslOptions: sslOptions1,
protocolOptions: { port: 9142 }
});
const query = 'SELECT * FROM system_schema.keyspaces';
client.execute(query).then(
result => console.log('Row from Keyspaces %s', result.rows[0]))
.catch( e=> console.log(`${e}`));
```
Usage notes:
1. Replace `"path_to_file/keyspaces-bundle.pem"` with the path to the certificate saved in the first step.
1. Ensure that the *accessKeyId* and *secretAccessKey* match the Access Key and Secret Access Key you obtained using `AWSCredentialsProvider`. For more information, see [Setting Credentials in Node.js](https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/setting-credentials-node.html) in the *AWS SDK for JavaScript in Node.js*.
1. To store access keys outside of code, see best practices at [Store access keys for programmatic access](aws.credentials.manage.md).
1. For a list of available endpoints, see [Service endpoints for Amazon Keyspaces](programmatic.endpoints.md).
# Using a Cassandra .NET Core client driver to access Amazon Keyspaces programmatically
This section shows you how to connect to Amazon Keyspaces by using a .NET Core client driver. The setup steps will vary depending on your environment and operating system, you might have to modify them accordingly. Amazon Keyspaces requires the use of Transport Layer Security (TLS) to help secure connections with clients. To connect to Amazon Keyspaces using TLS, configure your driver to use the system trust store, which includes the Amazon Root CAs 1-4.
1. Install the CassandraCSharpDriver through nuget, using the nuget console.
```
PM> Install-Package CassandraCSharpDriver
```
1. The following example uses a .NET Core C\$1 console project to connect to Amazon Keyspaces and run a query.
```
using Cassandra;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net.Security;
using System.Runtime.ConstrainedExecution;
using System.Security.Cryptography.X509Certificates;
using System.Text;
using System.Threading.Tasks;
namespace CSharpKeyspacesExample
{
class Program
{
public Program(){}
static void Main(string[] args)
{
var userName = "ServiceUserName";
var pwd = "ServicePassword";
certCollection.Add(amazoncert);
var awsEndpoint = "cassandra.us-east-2.amazonaws.com" ;
var cluster = Cluster.Builder()
.AddContactPoints(awsEndpoint)
.WithPort(9142)
.WithAuthProvider(new PlainTextAuthProvider(userName, pwd))
.WithSSL(new SSLOptions().SetCertificateCollection(certCollection))
.Build();
var session = cluster.Connect();
var rs = session.Execute("SELECT * FROM system_schema.tables;");
foreach (var row in rs)
{
var name = row.GetValue("keyspace_name");
Console.WriteLine(name);
}
}
}
}
```
Usage notes:
1. Ensure that you use the default system trust store, which includes the Amazon Root CAs 1-4.
1. Ensure that the *ServiceUserName* and *ServicePassword* match the user name and password you obtained when you generated the service-specific credentials by following the steps to [Create service-specific credentials for programmatic access to Amazon Keyspaces](programmatic.credentials.ssc.md).
1. For a list of available endpoints, see [Service endpoints for Amazon Keyspaces](programmatic.endpoints.md).
# Using a Cassandra Go client driver to access Amazon Keyspaces programmatically
This section shows you how to connect to Amazon Keyspaces by using a Go Cassandra client driver. To provide users and applications with credentials for programmatic access to Amazon Keyspaces resources, you can do either of the following:
+ Create service-specific credentials that are associated with a specific AWS Identity and Access Management (IAM) user.
+ For enhanced security, we recommend to create IAM access keys for IAM principals that are used across all AWS services. The Amazon Keyspaces SigV4 authentication plugin for Cassandra client drivers enables you to authenticate calls to Amazon Keyspaces using IAM access keys instead of user name and password. For more information, see [Create and configure AWS credentials for Amazon Keyspaces](access.credentials.md).
**Topics**
+ [
## Before you begin
](#using_go_driver.BeforeYouBegin)
+ [
## Connect to Amazon Keyspaces using the Gocql driver for Apache Cassandra and service-specific credentials
](#go_ssc)
+ [
## Connect to Amazon Keyspaces using the Go driver for Apache Cassandra and the SigV4 authentication plugin
](#go_SigV4)
## Before you begin
You need to complete the following task before you can start.
Amazon Keyspaces requires the use of Transport Layer Security (TLS) to help secure connections with clients. To connect to Amazon Keyspaces using TLS, you need to download an Amazon digital certificate and configure the Go driver to use TLS.
Download the following digital certificates and save the files locally or in your home directory.
1. AmazonRootCA1
1. AmazonRootCA2
1. AmazonRootCA3
1. AmazonRootCA4
1. Starfield Class 2 Root (optional – for backward compatibility)
To download the certificates, you can use the following commands.
```
curl -O https://www.amazontrust.com/repository/AmazonRootCA1.pem
curl -O https://www.amazontrust.com/repository/AmazonRootCA2.pem
curl -O https://www.amazontrust.com/repository/AmazonRootCA3.pem
curl -O https://www.amazontrust.com/repository/AmazonRootCA4.pem
curl -O https://certs.secureserver.net/repository/sf-class2-root.crt
```
**Note**
Amazon Keyspaces previously used TLS certificates anchored to the Starfield Class 2 CA. AWS is migrating all AWS Regions to certificates issued under Amazon Trust Services (Amazon Root CAs 1–4). During this transition, configure clients to trust both Amazon Root CAs 1–4 and the Starfield root to ensure compatibility across all Regions.
Combine all downloaded certificates into a single `pem` file with the name *keyspaces-bundle.pem* in our examples. You can do this by running the following command. Take note of the path to the file, you need this later.
```
cat AmazonRootCA1.pem \
AmazonRootCA2.pem \
AmazonRootCA3.pem \
AmazonRootCA4.pem \
sf-class2-root.crt \
> keyspaces-bundle.pem
```
## Connect to Amazon Keyspaces using the Gocql driver for Apache Cassandra and service-specific credentials
1. Create a directory for your application.
```
mkdir ./gocqlexample
```
1. Navigate to the new directory.
```
cd gocqlexample
```
1. Create a file for your application.
```
touch cqlapp.go
```
1. Download the Go driver.
```
go get github.com/gocql/gocql
```
1. Add the following sample code to the cqlapp.go file.
```
package main
import (
"fmt"
"github.com/gocql/gocql"
"log"
)
func main() {
// add the Amazon Keyspaces service endpoint
cluster := gocql.NewCluster("cassandra.us-east-2.amazonaws.com")
cluster.Port=9142
// add your service specific credentials
cluster.Authenticator = gocql.PasswordAuthenticator{
Username: "ServiceUserName",
Password: "ServicePassword"}
// provide the path to the keyspaces-bundle.pem
cluster.SslOpts = &gocql.SslOptions{
CaPath: "path_to_file/keyspaces-bundle.pem",
EnableHostVerification: false,
}
// Override default Consistency to LocalQuorum
cluster.Consistency = gocql.LocalQuorum
cluster.DisableInitialHostLookup = false
session, err := cluster.CreateSession()
if err != nil {
fmt.Println("err>", err)
}
defer session.Close()
// run a sample query from the system keyspace
var text string
iter := session.Query("SELECT keyspace_name FROM system_schema.tables;").Iter()
for iter.Scan(&text) {
fmt.Println("keyspace_name:", text)
}
if err := iter.Close(); err != nil {
log.Fatal(err)
}
session.Close()
}
```
Usage notes:
1. Replace `"path_to_file/keyspaces-bundle.pem"` with the path to the combined certificate file saved in the first step.
1. Ensure that the *ServiceUserName* and *ServicePassword* match the user name and password you obtained when you generated the service-specific credentials by following the steps to [Create service-specific credentials for programmatic access to Amazon Keyspaces](programmatic.credentials.ssc.md).
1. For a list of available endpoints, see [Service endpoints for Amazon Keyspaces](programmatic.endpoints.md).
1. Build the program.
```
go build cqlapp.go
```
1. Run the program.
```
./cqlapp
```
## Connect to Amazon Keyspaces using the Go driver for Apache Cassandra and the SigV4 authentication plugin
The following code sample shows how to use the SigV4 authentication plugin for the open-source Go driver to access Amazon Keyspaces (for Apache Cassandra).
If you haven't already done so, create credentials for your IAM principal following the steps at [Create and configure AWS credentials for Amazon Keyspaces](access.credentials.md). If an application is running on Lambda or an Amazon EC2 instance, your application is automatically using the credentials of the instance. To run this tutorial locally, you can store the credentials as local environment variables.
Add the Go SigV4 authentication plugin to your application from the [GitHub repository](https://github.com/aws/aws-sigv4-auth-cassandra-gocql-driver-plugin). The plugin supports version 1.2.x of the open-source Go driver for Cassandra and depends on the AWS SDK for Go.
```
$ go mod init
$ go get github.com/aws/aws-sigv4-auth-cassandra-gocql-driver-plugin
```
In this code example, the Amazon Keyspaces endpoint is represented by the `Cluster` class. It uses the `AwsAuthenticator` for the authenticator property of the cluster to obtain credentials.
```
package main
import (
"fmt"
"github.com/aws/aws-sigv4-auth-cassandra-gocql-driver-plugin/sigv4"
"github.com/gocql/gocql"
"log"
)
func main() {
// configuring the cluster options
cluster := gocql.NewCluster("cassandra.us-west-2.amazonaws.com")
cluster.Port=9142
// the authenticator uses the default credential chain to find AWS credentials
cluster.Authenticator = sigv4.NewAwsAuthenticator()
cluster.SslOpts = &gocql.SslOptions{
CaPath: "path_to_file/keyspaces-bundle.pem",
EnableHostVerification: false,
}
cluster.Consistency = gocql.LocalQuorum
cluster.DisableInitialHostLookup = false
session, err := cluster.CreateSession()
if err != nil {
fmt.Println("err>", err)
return
}
defer session.Close()
// doing the query
var text string
iter := session.Query("SELECT keyspace_name FROM system_schema.tables;").Iter()
for iter.Scan(&text) {
fmt.Println("keyspace_name:", text)
}
if err := iter.Close(); err != nil {
log.Fatal(err)
}
}
```
Usage notes:
1. Replace `"path_to_file/keyspaces-bundle.pem"` with the path to the certificate file saved in the first step.
1. For this example to run locally, you need to define the following variables as environment variables:
+ `AWS_ACCESS_KEY_ID`
+ `AWS_SECRET_ACCESS_KEY`
+ `AWS_DEFAULT_REGION`
1. To store access keys outside of code, see best practices at [Store access keys for programmatic access](aws.credentials.manage.md).
1. For a list of available endpoints, see [Service endpoints for Amazon Keyspaces](programmatic.endpoints.md).
# Using a Cassandra Perl client driver to access Amazon Keyspaces programmatically
This section shows you how to connect to Amazon Keyspaces by using a Perl client driver. For this code sample, we used Perl 5. Amazon Keyspaces requires the use of Transport Layer Security (TLS) to help secure connections with clients.
**Important**
Amazon Keyspacescertificates are transitioning to the Amazon Trust Services (ATS) hierarchy. Ensure your environment trusts the Amazon Root CAs 1–4 to avoid connection errors during this rotation. The Perl driver doesn't validate the server's Amazon SSL certificate, which means that you can't confirm that you are connecting to Amazon Keyspaces. The second step, to configure the driver to use TLS when connecting to Amazon Keyspaces is still required, and ensures that data transferred between the client and server is encrypted.
1. Download the Cassandra DBI driver from [https://metacpan.org/pod/DBD::Cassandra](https://metacpan.org/pod/DBD::Cassandra) and install the driver to your Perl environment. The exact steps depend on the environment. The following is a common example.
```
cpanm DBD::Cassandra
```
1. Create a file for your application.
```
touch cqlapp.pl
```
1. Add the following sample code to the cqlapp.pl file.
```
use DBI;
my $user = "ServiceUserName";
my $password = "ServicePassword";
my $db = DBI->connect("dbi:Cassandra:host=cassandra.us-east-2.amazonaws.com;port=9142;tls=1;",
$user, $password);
my $rows = $db->selectall_arrayref("select * from system_schema.keyspaces");
print "Found the following Keyspaces...\n";
for my $row (@$rows) {
print join(" ",@$row['keyspace_name']),"\n";
}
$db->disconnect;
```
**Important**
Ensure that the *ServiceUserName* and *ServicePassword* match the user name and password you obtained when you generated the service-specific credentials by following the steps to [Create service-specific credentials for programmatic access to Amazon Keyspaces](programmatic.credentials.ssc.md).
**Note**
For a list of available endpoints, see [Service endpoints for Amazon Keyspaces](programmatic.endpoints.md).
1. Run the application.
```
perl cqlapp.pl
```