Using Athena with CalledVia context keys - Amazon Athena
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using Athena with CalledVia context keys

When a principal makes a request to Amazon, Amazon gathers the request information into a request context that evaluates and authorizes the request. You can use the Condition element of a JSON policy to compare keys in the request context with key values that you specify in your policy. Global condition context keys are condition keys with an aws: prefix.

The aws:CalledVia context key

You can use the aws:CalledVia global condition context key to compare the services in the policy with the services that made requests on behalf of the IAM principal (user or role). When a principal makes a request to an Amazon Web Service, that service might use the principal's credentials to make subsequent requests to other services. The aws:CalledVia key contains an ordered list of each service in the chain that made requests on the principal's behalf.

By specifying a service principal name for the aws:CalledVia context key, you can make the context key Amazon Web Service-specific. For example, you can use the aws:CalledVia condition key to limit requests to only those made from Athena. To use the aws:CalledVia condition key in a policy with Athena, you specify the Athena service principal name, as in the following example.

... "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "" } } ...

You can use the aws:CalledVia context key to ensure that callers only have access to a resource (like a Lambda function) if they call the resource from Athena.


The aws:CalledVia context key is not compatible with the trusted identity propagation feature.

Add an optional CalledVia context key for fine grained access to a Lambda function

Athena requires the caller to have lambda:InvokeFunction permissions in order to invoke the Lambda function associated with the query. The following statement allows fine-grained access to a Lambda function so that the user can use only Athena to invoke the Lambda function.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor3", "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-1:111122223333:function:OneAthenaLambdaFunction", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "" } } } ] }

The following example shows the addition of the previous statement to a policy that allows a user to run and read a federated query. Principals who are allowed to perform these actions can run queries that specify Athena catalogs associated with a federated data source. However, the principal cannot access the associated Lambda function unless the function is invoked through Athena.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "athena:GetWorkGroup", "s3:PutObject", "s3:GetObject", "athena:StartQueryExecution", "s3:AbortMultipartUpload", "athena:StopQueryExecution", "athena:GetQueryExecution", "athena:GetQueryResults", "s3:ListMultipartUploadParts" ], "Resource": [ "arn:aws:athena:*:111122223333:workgroup/WorkGroupName", "arn:aws:s3:::MyQueryResultsBucket/*", "arn:aws:s3:::MyLambdaSpillBucket/MyLambdaSpillPrefix*" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "athena:ListWorkGroups", "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::MyLambdaSpillBucket" }, { "Sid": "VisualEditor3", "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": [ "arn:aws:lambda:*:111122223333:function:OneAthenaLambdaFunction", "arn:aws:lambda:*:111122223333:function:AnotherAthenaLambdaFunction" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "" } } } ] }

For more information about CalledVia condition keys, see Amazon global condition context keys in the IAM User Guide.