Access to workgroups and tags

A workgroup is a resource managed by Athena. Therefore, if your workgroup policy uses actions that take workgroup as an input, you must specify the workgroup's ARN as follows, where workgroup-name is the name of your workgroup:


"Resource": [arn:aws:athena:region:AWSAcctID:workgroup/workgroup-name]

For example, for a workgroup named test_workgroup in the us-west-2 region for Amazon Web Services account 123456789012, specify the workgroup as a resource using the following ARN:


"Resource":["arn:aws:athena:us-east-2:123456789012:workgroup/test_workgroup"]

To access trusted identity propagation (TIP) enabled workgroups, IAM Identity Center users must be assigned to the IdentityCenterApplicationArn that is returned by the response of the Athena GetWorkGroup API action.

For a list of workgroup policies, see Workgroup example policies.
For a list of tag-based policies for workgroups, see Tag-based IAM access control policies.
For more information about creating IAM policies for workgroups, see IAM policies for accessing workgroups.
For a complete list of Amazon Athena actions, see the API action names in the Amazon Athena API Reference.
For more information about IAM policies, see Creating policies with the visual editor in the IAM User Guide.

Whenever you use IAM policies, make sure that you follow IAM best practices. For more information, see Security best practices in IAM in the IAM User Guide.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Access to encrypted metadata in the Data Catalog

Allow access to prepared statements