Using IAM Identity Center enabled Athena workgroups - Amazon Athena
Considerations and limitationsCreating an IAM Identity Center enabled Athena workgroup
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using IAM Identity Center enabled Athena workgroups

The trusted identity propagation feature of Amazon IAM Identity Center permits your workforce identities to be used across Amazon analytics services. Trusted identity propagation saves you from having to perform service-specific identity provider configurations or IAM role setups.

With IAM Identity Center, you can manage sign-in security for your workforce identities, also known as workforce users. IAM Identity Center provides one place where you can create or connect workforce users and centrally manage their access across all their Amazon accounts and applications. You can use multi-account permissions to assign these users access to Amazon Web Services accounts. You can use application assignments to assign your users access to IAM Identity Center enabled applications, cloud applications, and customer Security Assertion Markup Language (SAML 2.0) applications. For more information, see Trusted identity propagation across applications in the Amazon IAM Identity Center User Guide.

Currently, Athena SQL support for trusted identity propagation lets you use the same identity for Amazon EMR Studio and the Athena SQL interface in EMR Studio. To use IAM Identity Center identities with Athena SQL in EMR Studio, you must create IAM Identity Center enabled workgroups in Athena. You can then use the IAM Identity Center console or API to assign IAM Identity Center users or groups to the IAM Identity Center enabled Athena workgroups. Queries from an Athena workgroup that uses trusted identity propagation must be run from the Athena SQL interface in an EMR Studio that has IAM Identity Center enabled.

Considerations and limitations

When you use trusted identity propagation with Amazon Athena, consider the following points:

  • You cannot change the authentication method for the workgroup after the workgroup is created.

    • Existing Athena SQL workgroups cannot be modified to support IAM Identity Center enabled workgroups.

    • IAM Identity Center enabled workgroups cannot be modified to support resource-level IAM permissions or identity based IAM policies.

  • To access trusted identity propagation enabled workgroups, IAM Identity Center users must be assigned to the IdentityCenterApplicationArn that is returned by the response of the Athena GetWorkGroup API action.

  • Amazon S3 Access Grants must be configured to use trusted identity propagation identities. For more information, see S3 Access Grants and corporate directory identities in the Amazon S3 User Guide.

  • IAM Identity Center enabled Athena workgroups require Lake Formation to be configured to use IAM Identity Center identities. For configuration information, see Integrating IAM Identity Center in the Amazon Lake Formation Developer Guide.

  • By default, queries time out after 30 minutes in workgroups that use trusted identity propagation. You can request a query timeout increase, but the maximum a query can run in trusted identity propagation workgroups is one hour.

  • User or group entitlement changes in trusted identity propagation workgroups can require up to an hour to take effect.

  • Queries in an Athena workgroup that uses trusted identity propagation cannot be run directly from the Athena console. They must be run from the Athena interface in an EMR Studio that has IAM Identity Center enabled. For more information about using Athena in EMR Studio, see Use the Amazon Athena SQL editor in EMR Studio in the Amazon EMR Management Guide.

  • Trusted identity propagation is not compatible with the following Athena features.

    • aws:CalledVia context keys.

    • Athena for Spark workgroups.

    • Federated access to the Athena API.

    • Federated access to Athena using Lake Formation and the Athena JDBC and ODBC drivers.

  • You can use trusted identity propagation with Athena only in the following Amazon Web Services Regions:

    • us-east-2 – US East (Ohio)

    • us-east-1 – US East (N. Virginia)

    • us-west-1 – US West (N. California)

    • us-west-2 – US West (Oregon)

    • af-south-1 – Africa (Cape Town)

    • ap-east-1 – Asia Pacific (Hong Kong)

    • ap-southeast-3 – Asia Pacific (Jakarta)

    • ap-south-1 – Asia Pacific (Mumbai)

    • ap-northeast-3 – Asia Pacific (Osaka)

    • ap-northeast-2 – Asia Pacific (Seoul)

    • ap-southeast-1 – Asia Pacific (Singapore)

    • ap-southeast-2 – Asia Pacific (Sydney)

    • ap-northeast-1 – Asia Pacific (Tokyo)

    • ca-central-1 – Canada (Central)

    • eu-central-1 – Europe (Frankfurt)

    • eu-west-1 – Europe (Ireland)

    • eu-west-2 – Europe (London)

    • eu-south-1 – Europe (Milan)

    • eu-west-3 – Europe (Paris)

    • eu-north-1 – Europe (Stockholm)

    • me-south-1 – Middle East (Bahrain)

    • sa-east-1 – South America (São Paulo)

The IAM user of the admin who creates the IAM Identity Center enabled workgroup in the Athena console must have the following policies attached.

  • The AmazonAthenaFullAccess managed policy. For details, see Amazon managed policy: AmazonAthenaFullAccess.

  • The following inline policy that allows IAM and IAM Identity Center actions:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "iam:createRole",
                "iam:CreatePolicy",
                "iam:AttachRolePolicy",
                "iam:ListRoles",
                "iam:PassRole",
                "identitystore:ListUsers",
                "identitystore:ListGroups",
                "identitystore:CreateUser",
                "identitystore:CreateGroup",
                "sso:ListInstances",
                "sso:CreateInstance",
                "sso:DeleteInstance",
                "sso:DescribeUser",
                "sso:DescribeGroup",
                "sso:ListTrustedTokenIssuers",
                "sso:DescribeTrustedTokenIssuer",
                "sso:ListApplicationAssignments",
                "sso:DescribeRegisteredRegions",
                "sso:GetManagedApplicationInstance",
                "sso:GetSharedSsoConfiguration",
                "sso:PutApplicationAssignmentConfiguration",
                "sso:CreateApplication",
                "sso:DeleteApplication",
                "sso:PutApplicationGrant",
                "sso:PutApplicationAuthenticationMethod",
                "sso:PutApplicationAccessScope",
                "sso:ListDirectoryAssociations",
                "sso:CreateApplicationAssignment",
                "sso:DeleteApplicationAssignment",
                "organizations:ListDelegatedAdministrators",
                "organizations:DescribeAccount",
                "organizations:DescribeOrganization",
                "organizations:CreateOrganization",
                "sso-directory:SearchUsers",
                "sso-directory:SearchGroups",
                "sso-directory:CreateUser"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        }
    ]
}

Creating an IAM Identity Center enabled Athena workgroup

The following procedure shows the steps and options related to creating an IAM Identity Center enabled Athena workgroup. For a description of the other configuration options available for Athena workgroups, see Create a workgroup.

To create an SSO enabled workgroup in the Athena console

  1. Open the Athena console at https://console.amazonaws.cn/athena/.

  2. In the Athena console navigation pane, choose Workgroups.

  3. On the Workgroups page, choose Create workgroup.

  4. On the Create workgroup page, for Workgroup name, enter a name for the workgroup.

  5. For Analytics engine, use the Athena SQL default.

  6. For Authentication, choose IAM Identity Center.

  7. For Service role for IAM Identity Center access, choose an existing service role, or create a new one.

    Athena requires permissions to access IAM Identity Center for you. A service role is required for Athena to do this. A service role is an IAM role that you manage that authorizes an Amazon service to access other Amazon services on your behalf. For more information, see Creating a role to delegate permissions to an Amazon service in the IAM User Guide.

  8. Expand Query result configuration, and then enter or choose an Amazon S3 path for Location of query result.

  9. (Optional) Choose Encrypt query results.

  10. (Optional) Choose Create user identity based S3 prefix.

    When you create an IAM Identity Center enabled workgroup, the Enable S3 Access Grants option is selected by default. You can use Amazon S3 Access Grants to control access to Athena query results locations (prefixes) in Amazon S3. For more information about Amazon S3 Access Grants, see Managing access with Amazon S3 Access Grants.

    In Athena workgroups that use IAM Identity Center authentication, you can enable the creation of identity based query result locations that are governed by Amazon S3 Access Grants. These user identity based Amazon S3 prefixes let users in an Athena workgroup keep their query results isolated from other users in the same workgroup.

    When you enable the user prefix option, Athena appends the user ID as an Amazon S3 path prefix to the query result output location for the workgroup (for example, s3://DOC-EXAMPLE-BUCKET/${user_id}). To use this feature, you must configure Access Grants to allow only the user permission to the location that has the user_id prefix. For a sample Amazon S3 Access Grants location role policy that restricts access to Athena query results, see Sample role policy.

    Note

    Selecting the user identity S3 prefix option automatically enables the override client-side settings option for the workgroup, as described in the next step. The override client-side settings option is a requirement for the user identity prefix feature.

  11. Expand Settings, and then confirm that Override client-side settings is selected.

    When you select Override client-side settings, workgroup settings are enforced at the workgroup level for all clients in the workgroup. For more information, see Workgroup settings override client-side settings.

  12. (Optional) Make any other configuration settings that you require as described in Create a workgroup.

  13. Choose Create workgroup.

  14. Use the Workgroups section of the Athena console to assign users or groups from your IAM Identity Center directory to your IAM Identity Center enabled Athena workgroup.

The following sample shows a policy for a role to attach to an Amazon S3 Access Grant location that restricts access to Athena query results. 

{
    "Statement": [{
        "Action": ["s3:*"],
        "Condition": {
            "ArnNotEquals": {
                "s3:AccessGrantsInstanceArn": "arn:aws:s3:${region}:${account}:access-grants/default"
            },
            "StringNotEquals": {
                "aws:ResourceAccount": "${account}"
            }
        },
        "Effect": "Deny",
        "Resource": "*",
        "Sid": "ExplicitDenyS3"
    }, {
        "Action": ["kms:*"],
        "Effect": "Deny",
        "NotResource": "arn:aws:kms:${region}:${account}:key/${keyid}",
        "Sid": "ExplictDenyKMS"
    }, {
        "Action": ["s3:ListMultipartUploadParts", "s3:GetObject"],
        "Condition": {
            "ArnEquals": {
                "s3:AccessGrantsInstanceArn": "arn:aws:s3:${region}:${account}:access-grants/default"
            },
            "StringEquals": {
                "aws:ResourceAccount": "${account}"
            }
        },
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::ATHENA-QUERY-RESULT-LOCATION/${identitystore:UserId}/*",
        "Sid": "ObjectLevelReadPermissions"
    }, {
        "Action": ["s3:PutObject", "s3:AbortMultipartUpload"],
        "Condition": {
            "ArnEquals": {
                "s3:AccessGrantsInstanceArn": "arn:aws:s3:${region}:${account}:access-grants/default"
            },
            "StringEquals": {
                "aws:ResourceAccount": "${account}"
            }
        },
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::ATHENA-QUERY-RESULT-LOCATION/${identitystore:UserId}/*",
        "Sid": "ObjectLevelWritePermissions"
    }, {
        "Action": "s3:ListBucket",
        "Condition": {
            "ArnEquals": {
                "s3:AccessGrantsInstanceArn": "arn:aws:s3:${region}:${account}:access-grants/default"
            },
            "StringEquals": {
                "aws:ResourceAccount": "${account}"
            },
            "StringLikeIfExists": {
                "s3:prefix": ["${identitystore:UserId}", "${identitystore:UserId}/*"]
            }
        },
        "Effect": "Allow",
        "Resource": "arn:aws:s3:::ATHENA-QUERY-RESULT-LOCATION",
        "Sid": "BucketLevelReadPermissions"
    }, {
        "Action": ["kms:GenerateDataKey", "kms:Decrypt"],
        "Effect": "Allow",
        "Resource": "arn:aws:kms:${region}:${account}:key/${keyid}",
        "Sid": "KMSPermissions"
    }],
    "Version": "2012-10-17"
}