CData Python Connector for Amazon Athena

Build 24.0.9062

IAM 最小権限

We recommend using predefined roles for services rather than creating custom IAM policies, but if you want to create custom polices, use the roles described in the table below. Note that the specific policies required by the Amazon Athena driver are subject to change in future releases. Amazon Athena requires at a minimum the following permissions:

IAM Role Description
s3:ListBucketList all the items of source buckets. These items are usually the tables you want to query data from. This action supports resource-level permissions, so you can specify the buckets in "Resource".
s3:GetObjectRead the file with the data you want to query. You can give permission to read specific items in the bucket, for example, arn:aws:s3:::source-bucket1/Customers.csv, or give permission to read all items in the bucket, for example, arn:aws:s3:::source-bucket1/*.
s3:GetBucketLocation
s3:GetObject
s3:ListBucket
s3:ListBucketMultipartUploads
s3:AbortMultipartUpload
s3:PutObject
s3:ListMultipartUploadParts
s3:DeleteObject
These actions are required to be active at the same time to write the results of the query to the destination bucket, which corresponds to the connection property S3StagingDirectory. The driver then reads the metadata and data from this location and deletes these temporary files at the end. See Access denied error for more information.
athena:ListDataCatalogsRetrieve the list of data catalogs for the current AWS account. This action does not support resource-specific permissions, so Resource is always *.
athena:GetDataCatalogRetrieve metadata about a specific data catalog. This action supports resource-specific permissions. For example, giving permission to all the data catalogs in the Northern Virginia region: "Resource":
"arn:aws:athena:us-east-1:987654321098:datacatalog/*"
athena:GetTableMetadataRetrieve metadata about a specific table. This action supports resource-specific permissions, just like athena:GetDataCatalog.
athena:ListTableMetadataList table metadata in a database for a given data catalog. This action supports resource-specific permissions, just like athena:GetDataCatalog.
athena:StartQueryExecutionStart the execution of a query in Athena. This action supports resource-specific permissions. For example, giving permission to the primary workgroup in the Northern Virginia region: arn:aws:athena:us-east-1:987654321098:workgroup/primary
athena:GetQueryResultsRetrieve the query results. This action supports resource-specific permissions, just like athena:StartQueryExecution.
athena:GetQueryExecutionRetrieve information about the query execution, for example, to check if the query execution is still running. This action supports resource-specific permissions, just like athena:StartQueryExecution.
glue:GetTablesList the tables in a database. This action supports resource-specific permissions. For example, to list all the tables in the Northern Virginia region:
            "Resource": [
                "arn:aws:glue:region123:111111111111:table/*/*",
                "arn:aws:glue:region123:111111111111:database/*",
                "arn:aws:glue:region123:111111111111:catalog"
            ]
			
glue:GetDatabasesList all the databases in a data catalog. This action supports resource-specific permissions, just like glue:GetTables.
glue:GetTableRetrieve a table. This action supports resource-specific permissions, just like glue:GetTables.

Federated Queries

If you are using federated queries, i.e., using Lambda functions to get data from other sources, you need Lambda permissions as well. For example, to give lambda:InvokeFunction permissions on a resource with the name cloudwatchtest1 in Northern Virginia:
    {
        "Effect": "Allow",
        "Action": [
            "lambda:InvokeFunction"
        ],
        "Resource": [
            "arn:aws:lambda:us-east-1:987654321098:function:cloudwatchtest1"
        ]
    }
 
Only the Lambda permission is optional. All the other permissions are required to do a simple SELECT with the driver.

Copyright (c) 2024 CData Software, Inc. - All rights reserved.
Build 24.0.9062