Allow access to Athena Federated Query: Example policies
The permission policy examples in this topic demonstrate required allowed actions and the resources for which they are allowed. Examine these policies carefully and modify them according to your requirements before attaching them to IAM identities.
For information about attaching policies to IAM identities, see Adding and removing IAM identity permissions in the IAM User Guide.
Example – Allow an IAM principal to run and return results using Athena Federated Query
The following identity-based permissions policy allows actions that a user or other IAM principal requires to use Athena Federated Query. Principals who are allowed to perform these actions are able to run queries that specify Athena catalogs associated with a federated data source.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Athena", "Effect": "Allow", "Action": [ "athena:GetDataCatalog", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:GetWorkGroup", "athena:StartQueryExecution", "athena:StopQueryExecution" ], "Resource": [ "arn:aws:athena:*:
111122223333
:workgroup/WorkgroupName
", "arn:aws:athena:aws_region
:111122223333
:datacatalog/DataCatalogName
" ] }, { "Sid": "ListAthenaWorkGroups", "Effect": "Allow", "Action": "athena:ListWorkGroups", "Resource": "*" }, { "Sid": "Lambda", "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": [ "arn:aws:lambda:*:111122223333
:function:OneAthenaLambdaFunction
", "arn:aws:lambda:*:111122223333
:function:AnotherAthenaLambdaFunction
" ] }, { "Sid": "S3", "Effect": "Allow", "Action": [ "s3:AbortMultipartUpload", "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListMultipartUploadParts", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::MyLambdaSpillBucket
", "arn:aws:s3:::MyLambdaSpillBucket
/*", "arn:aws:s3:::MyQueryResultsBucket
", "arn:aws:s3:::MyQueryResultsBucket
/*" ] } ] }
Allowed actions | Explanation |
---|---|
|
Athena permissions that are required to run federated queries. |
|
Athena permissions that are required to run federated view queries.
The |
|
Allows queries to invoke the Amazon Lambda functions for the Amazon Lambda
functions specified in the Resource block. For example,
arn:aws:lambda:*: ,
where MyAthenaLambdaFunction specifies the
name of a Lambda function to be invoked. As shown in the example,
multiple functions can be specified. |
|
The
|
Example – Allow an IAM principal to create a data source connector
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:ListVersionsByFunction", "iam:CreateRole", "lambda:GetFunctionConfiguration", "iam:AttachRolePolicy", "iam:PutRolePolicy", "lambda:PutFunctionConcurrency", "iam:PassRole", "iam:DetachRolePolicy", "lambda:ListTags", "iam:ListAttachedRolePolicies", "iam:DeleteRolePolicy", "lambda:DeleteFunction", "lambda:GetAlias", "iam:ListRolePolicies", "iam:GetRole", "iam:GetPolicy", "lambda:InvokeFunction", "lambda:GetFunction", "lambda:ListAliases", "lambda:UpdateFunctionConfiguration", "iam:DeleteRole", "lambda:UpdateFunctionCode", "s3:GetObject", "lambda:AddPermission", "iam:UpdateRole", "lambda:DeleteFunctionConcurrency", "lambda:RemovePermission", "iam:GetRolePolicy", "lambda:GetPolicy" ], "Resource": [ "arn:aws:lambda:*:
111122223333
:function:MyAthenaLambdaFunctionsPrefix
*", "arn:aws:s3:::awsserverlessrepo-changesets-1iiv3xa62ln3m
/*", "arn:aws:iam::*:role/RoleName
", "arn:aws:iam::111122223333
:policy/*" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "cloudformation:CreateUploadBucket", "cloudformation:DescribeStackDriftDetectionStatus", "cloudformation:ListExports", "cloudformation:ListStacks", "cloudformation:ListImports", "lambda:ListFunctions", "iam:ListRoles", "lambda:GetAccountSettings", "ec2:DescribeSecurityGroups", "cloudformation:EstimateTemplateCost", "ec2:DescribeVpcs", "lambda:ListEventSourceMappings", "cloudformation:DescribeAccountLimits", "ec2:DescribeSubnets", "cloudformation:CreateStackSet", "cloudformation:ValidateTemplate" ], "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": "cloudformation:*", "Resource": [ "arn:aws:cloudformation:*:111122223333
:stack/aws-serverless-repository-MyCFStackPrefix
*/*", "arn:aws:cloudformation:*:111122223333
:stack/serverlessrepo-MyCFStackPrefix
*/*", "arn:aws:cloudformation:*:*:transform/Serverless-*", "arn:aws:cloudformation:*:111122223333
:stackset/aws-serverless-repository-MyCFStackPrefix
*:*", "arn:aws:cloudformation:*:111122223333
:stackset/serverlessrepo-MyCFStackPrefix
*:*" ] }, { "Sid": "VisualEditor3", "Effect": "Allow", "Action": "serverlessrepo:*", "Resource": "arn:aws:serverlessrepo:*:*:applications/*" }, { "Sid": "ECR", "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ], "Resource": "arn:aws:ecr:*:*:repository/*" } ] }
Allowed actions | Explanation |
---|---|
|
Allow the creation and management of Lambda functions listed as
resources. In the example, a name prefix is used in the resource
identifier
|
|
Allows reading of a bucket that Amazon Serverless Application Repository requires as specified by the
resource identifier
arn:aws:s3:::awsserverlessrepo-changesets- .
This bucket may be specific to your account. |
|
Allows the creation and management of Amazon CloudFormation stacks specified by
the resource
|
|
Allows searching, viewing, publishing, and updating applications in
the Amazon Serverless Application Repository, specified by the resource identifier
arn:aws:serverlessrepo:*:*:applications/* . |
|
Allows the created Lambda function to access the federation connector ECR image. |