Amazon Glue Data Catalog federated connectors without Lambda permissions Amazon Glue Data Catalog federated connectors with Lambda permissions Athena data catalog federated connectors permissions

Permissions to create and use a data source in Athena

Amazon Glue Data Catalog federated connectors without Lambda permissions

IAM principal permissions to invoke Athena API for connector management and querying
- Amazon Athena access – The AmazonAthenaFullAccess managed policy provides full access to Amazon Athena and scoped access to the dependencies needed to enable querying, writing results, and data management. For more information, see AmazonAthenaFullAccess in the Amazon Managed Policy Reference Guide.
- Amazon Glue connection management – Permissions to create and manage Amazon Glue connection objects.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "glue:GetConnection",
                "glue:CreateConnection",
                "glue:DeleteConnection",
                "glue:UpdateConnection"
            ],
            "Resource": "*"
        }
    ]
}
```
  Note
  The example policy uses "Resource": "*" for simplicity. For production environments, scope permissions to specific resources where possible.
- Amazon Lake Formation access – Permissions to create an Amazon Glue Catalog and use fine-grained access control.
  JSON
  
  { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:RegisterResource", "iam:ListRoles", "glue:CreateCatalog", "glue:GetCatalogs", "glue:GetCatalog" ], "Resource": "*" } ] }

Glue Data Catalog IAM role

This section covers the permissions required for Athena to provision the infrastructure and query your data source. Amazon Athena Federated Query requires the following permissions in the role passed to Glue Data Catalog IAM Role.

Note

When you connect to a data source in a VPC, Athena creates an Elastic Network Interface (ENI) in your account within the specified VPC. The IAM role requires EC2 permissions to create, describe, and delete this network interface.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "glue:ManagedConnector",
                "secretsmanager:DescribeSecret",
                "secretsmanager:GetSecretValue",
                "secretsmanager:PutSecretValue",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeVpcs",
                "dynamodb:DescribeTable",
                "dynamodb:ListTables",
                "dynamodb:Scan",
                "dynamodb:Query",
                "dynamodb:GetItem",
                "dynamodb:BatchGetItem"
            ],
            "Resource": "*"
        }
    ]
}

Note

The example policy uses "Resource": "*" for simplicity. For production environments, scope permissions to specific resources where possible. For example, scope Secrets Manager permissions to specific secret ARNs.

Explanation of permissions
Allowed actions	Explanation	Required
`"glue:ManagedConnector"`	Allows Athena to invoke the connector.	Required
`"secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue"`	Allows connectors to retrieve database credentials stored in Amazon Secrets Manager.	Optional
`"ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeVpcs", "ec2:CreateNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface"`	Allows Athena to set up networking if the data source is within a VPC.	Optional
`"dynamodb:DescribeTable", "dynamodb:ListTables", "dynamodb:Scan", "dynamodb:Query", "dynamodb:GetItem", "dynamodb:BatchGetItem"`	Allows Athena to query a DynamoDB data source.	Optional

Amazon Glue Data Catalog federated connectors with Lambda permissions

IAM principal permissions to invoke Athena API for connector management and querying
- Amazon Athena access – The AmazonAthenaFullAccess managed policy provides full access to Amazon Athena and scoped access to the dependencies needed to enable querying, writing results, and data management. For more information, see AmazonAthenaFullAccess in the Amazon Managed Policy Reference Guide.
- Connector management permissions – The following permissions are needed to call the Athena DataCatalog API when using Lambda-based connectors. See Permissions required to create connector and Athena catalog.
- Amazon Lake Formation access (if using Lake Formation) – Permissions to create an Amazon Glue Catalog and use fine-grained access control.
  JSON
  
  { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "lakeformation:RegisterResource", "iam:ListRoles", "glue:CreateCatalog", "glue:GetCatalogs", "glue:GetCatalog" ], "Resource": "*" } ] }

Athena data catalog federated connectors permissions

IAM principal permissions to invoke Athena API for connector management and querying
- Amazon Athena access – The AmazonAthenaFullAccess managed policy provides full access to Amazon Athena and scoped access to the dependencies needed to enable querying, writing results, and data management. For more information, see AmazonAthenaFullAccess in the Amazon Managed Policy Reference Guide.
- Connector management permissions – The following permissions are needed to call the Athena DataCatalog API when using Lambda-based connectors. See Permissions required to create connector and Athena catalog.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Create a data source connection

Use the Athena console