Permissions required to create connector and Athena catalog - Amazon Athena
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Permissions required to create connector and Athena catalog

To invoke Athena CreateDataCatalog you must create a role that has the following permissions:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ECR", "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ], "Resource": "arn:aws:ecr:*:*:repository/*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "glue:TagResource", "glue:GetConnection", "glue:CreateConnection", "glue:DeleteConnection", "glue:UpdateConnection", "serverlessrepo:CreateCloudFormationTemplate", "serverlessrepo:GetCloudFormationTemplate", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStacks", "cloudformation:CreateChangeSet", "cloudformation:DescribeAccountLimits", "cloudformation:CreateStackSet", "cloudformation:ValidateTemplate", "cloudformation:CreateUploadBucket", "cloudformation:DescribeStackDriftDetectionStatus", "cloudformation:ListExports", "cloudformation:ListStacks", "cloudformation:EstimateTemplateCost", "cloudformation:ListImports", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:DeleteRolePolicy", "iam:PutRolePolicy", "iam:GetRolePolicy", "iam:CreateRole", "iam:TagRole", "iam:DeleteRole", "iam:GetRole", "iam:PassRole", "iam:ListRoles", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies", "iam:GetPolicy", "iam:UpdateRole", "lambda:InvokeFunction", "lambda:GetFunction", "lambda:DeleteFunction", "lambda:CreateFunction", "lambda:TagResource", "lambda:ListFunctions", "lambda:GetAccountSettings", "lambda:ListEventSourceMappings", "lambda:ListVersionsByFunction", "lambda:GetFunctionConfiguration", "lambda:PutFunctionConcurrency", "lambda:UpdateFunctionConfiguration", "lambda:UpdateFunctionCode", "lambda:DeleteFunctionConcurrency", "lambda:RemovePermission", "lambda:AddPermission", "lambda:ListTags", "lambda:GetAlias", "lambda:GetPolicy", "lambda:ListAliases", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "secretsmanager:ListSecrets", "glue:GetCatalogs" ], "Resource": "*" } ] }