Minimum IAM Permissions
We recommend using predefined roles for services rather than creating custom IAM policies, but it if you want to create custom polices, use the roles described in the table below. Note that the specific policies required by the Amazon Athena driver are subject to change in future releases. Amazon Athena requires at a minimum the following permissions:
IAM Role | Description | |
s3:ListBucket | List all the items of source buckets. These items are usually the tables you want to query data from. This action supports resource-level permissions, so you can specify the buckets in "Resource". | |
s3:GetObject | Read the file with the data you want to query. You can give permission to read specific items in the bucket, for example, arn:aws:s3:::source-bucket1/Customers.csv, or give permission to read all items in the bucket, for example, arn:aws:s3:::source-bucket1/*. | |
s3:GetBucketLocation s3:GetObject s3:ListBucket s3:ListBucketMultipartUploads s3:AbortMultipartUpload s3:PutObject s3:ListMultipartUploadParts s3:DeleteObject | These actions are required to be active at the same time to write the results of the query to the destination bucket, which corresponds to the connection property S3StagingDirectory. The driver then reads the metadata and data from this location and deletes these temporary files at the end. See Access denied error for more information. | |
athena:ListDataCatalogs | Retrieve the list of data catalogs for the current AWS account. This action does not support resource-specific permissions, so Resource is always *. | |
athena:GetDataCatalog | Retrieve metadata about a specific data catalog. This action supports resource-specific permissions. For example, giving permission to all the data catalogs in the Northern Virginia region: "Resource": "arn:aws:athena:us-east-1:987654321098:datacatalog/*" | |
athena:GetTableMetadata | Retrieve metadata about a specific table. This action supports resource-specific permissions, just like athena:GetDataCatalog. | |
athena:ListTableMetadata | List table metadata in a database for a given data catalog. This action supports resource-specific permissions, just like athena:GetDataCatalog. | |
athena:StartQueryExecution | Start the execution of a query in Athena. This action supports resource-specific permissions. For example, giving permission to the primary workgroup in the Northern Virginia region: arn:aws:athena:us-east-1:987654321098:workgroup/primary | |
athena:GetQueryResults | Retrieve the query results. This action supports resource-specific permissions, just like athena:StartQueryExecution. | |
athena:GetQueryExecution | Retrieve information about the query execution, for example, to check if the query execution is still running. This action supports resource-specific permissions, just like athena:StartQueryExecution. | |
glue:GetTables | List the tables in a database. This action supports resource-specific permissions. For example, to list all the tables in the Northern Virginia region:
"Resource": [ "arn:aws:glue:region123:111111111111:table/*/*", "arn:aws:glue:region123:111111111111:database/*", "arn:aws:glue:region123:111111111111:catalog" ] | |
glue:GetDatabases | List all the databases in a data catalog. This action supports resource-specific permissions, just like glue:GetTables. | |
glue:GetTable | Retrieve a table. This action supports resource-specific permissions, just like glue:GetTables. |
Federated Queries
If you are using federated queries, i.e., using Lambda functions to get data from other sources, you need Lambda permissions as well. For example, to give lambda:InvokeFunction permissions on a resource with the name cloudwatchtest1 in Northern Virginia:{ "Effect": "Allow", "Action": [ "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:us-east-1:987654321098:function:cloudwatchtest1" ] }Only the Lambda permission is optional. All the other permissions are required to do a simple SELECT with the driver.