Use CalledVia context keys for Athena - Amazon Athena
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Use CalledVia context keys for Athena

When a principal makes a request to Amazon, Amazon gathers the request information into a request context that evaluates and authorizes the request. You can use the Condition element of a JSON policy to compare keys in the request context with key values that you specify in your policy. Global condition context keys are condition keys with an aws: prefix.

About the aws:CalledVia context key

You can use the aws:CalledVia global condition context key to compare the services in the policy with the services that made requests on behalf of the IAM principal (user or role). When a principal makes a request to an Amazon Web Services service, that service might use the principal's credentials to make subsequent requests to other services. The aws:CalledVia key contains an ordered list of each service in the chain that made requests on the principal's behalf.

By specifying a service principal name for the aws:CalledVia context key, you can make the context key Amazon Web Services service-specific. For example, you can use the aws:CalledVia condition key to limit requests to only those made from Athena. To use the aws:CalledVia condition key in a policy with Athena, you specify the Athena service principal name athena.amazonaws.com, as in the following example.

... "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "athena.amazonaws.com" } } ...

You can use the aws:CalledVia context key to ensure that callers only have access to a resource (like a Lambda function) if they call the resource from Athena.

Note

The aws:CalledVia context key is not compatible with the trusted identity propagation feature.

Add a CalledVia context key for access to Lambda functions

Athena requires the caller to have lambda:InvokeFunction permissions in order to invoke the Lambda function associated with the query. The following statement specifies that the user can invoke Lambda functions only from Athena.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor3", "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-east-1:111122223333:function:OneAthenaLambdaFunction", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "athena.amazonaws.com" } } } ] }

The following example shows the addition of the previous statement to a policy that allows a user to run and read a federated query. Principals who are allowed to perform these actions can run queries that specify Athena catalogs associated with a federated data source. However, the principal cannot access the associated Lambda function unless the function is invoked through Athena.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "athena:GetWorkGroup", "s3:PutObject", "s3:GetObject", "athena:StartQueryExecution", "s3:AbortMultipartUpload", "athena:StopQueryExecution", "athena:GetQueryExecution", "athena:GetQueryResults", "s3:ListMultipartUploadParts" ], "Resource": [ "arn:aws:athena:*:111122223333:workgroup/WorkGroupName", "arn:aws:s3:::MyQueryResultsBucket/*", "arn:aws:s3:::MyLambdaSpillBucket/MyLambdaSpillPrefix*" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "athena:ListWorkGroups", "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::MyLambdaSpillBucket" }, { "Sid": "VisualEditor3", "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": [ "arn:aws:lambda:*:111122223333:function:OneAthenaLambdaFunction", "arn:aws:lambda:*:111122223333:function:AnotherAthenaLambdaFunction" ], "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "athena.amazonaws.com" } } } ] }

For more information about CalledVia condition keys, see Amazon global condition context keys in the IAM User Guide.