Use CalledVia context keys for Athena
When a principal makes a request
to Amazon, Amazon gathers the request information into a request context
that evaluates and authorizes the request. You can use the Condition
element of
a JSON policy to compare keys in the request context with key values that you specify in
your policy. Global condition context keys are condition
keys with an aws:
prefix.
About the aws:CalledVia context key
You can use the aws:CalledVia global condition context key to compare
the services in the policy with the services that made requests on behalf of the IAM
principal (user or role). When a principal makes a request to an Amazon Web Services service, that
service might use the principal's credentials to make subsequent requests to other
services. The aws:CalledVia
key contains an ordered list of each service in
the chain that made requests on the principal's behalf.
By specifying a service principal name for the aws:CalledVia
context key,
you can make the context key Amazon Web Services service-specific. For example, you can use the
aws:CalledVia
condition key to limit requests to only those made from
Athena. To use the aws:CalledVia
condition key in a policy with Athena, you
specify the Athena service principal name athena.amazonaws.com
, as in the
following example.
... "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "athena.amazonaws.com" } } ...
You can use the aws:CalledVia
context key to ensure that callers only
have access to a resource (like a Lambda function) if they call the resource from
Athena.
Note
The aws:CalledVia
context key is not compatible with the trusted
identity propagation feature.
Add a CalledVia context key for access to Lambda functions
Athena requires the caller to have lambda:InvokeFunction
permissions in
order to invoke the Lambda function associated with the query. The following statement
specifies that the user can invoke Lambda functions only from Athena.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor3", "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-1:
111122223333
:function:OneAthenaLambdaFunction
", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "athena.amazonaws.com" } } } ] }
The following example shows the addition of the previous statement to a policy that allows a user to run and read a federated query. Principals who are allowed to perform these actions can run queries that specify Athena catalogs associated with a federated data source. However, the principal cannot access the associated Lambda function unless the function is invoked through Athena.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "athena:GetWorkGroup", "s3:PutObject", "s3:GetObject", "athena:StartQueryExecution", "s3:AbortMultipartUpload", "athena:StopQueryExecution", "athena:GetQueryExecution", "athena:GetQueryResults", "s3:ListMultipartUploadParts" ], "Resource": [ "arn:aws:athena:*:
111122223333
:workgroup/WorkGroupName
", "arn:aws:s3:::MyQueryResultsBucket
/*", "arn:aws:s3:::MyLambdaSpillBucket
/MyLambdaSpillPrefix
*" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "athena:ListWorkGroups", "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::MyLambdaSpillBucket
" }, { "Sid": "VisualEditor3", "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": [ "arn:aws:lambda:*:111122223333
:function:OneAthenaLambdaFunction
", "arn:aws:lambda:*:111122223333
:function:AnotherAthenaLambdaFunction
" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "athena.amazonaws.com" } } } ] }
For more information about CalledVia
condition keys, see Amazon global
condition context keys in the IAM User Guide.