Using trusted identity propagation with Athena
Trusted identity propagation gives Amazon services access to Amazon resources based on the user’s identity context and securely shares this user’s identity with other Amazon services. These capabilities enable user access to be more easily defined, granted, and logged.
When administrators configure QuickSight, Athena, Amazon S3 Access Grants, and Amazon Lake Formation with IAM Identity Center, they can now enable trusted identity propagation across these services and allow the user’s identity to be propagated across services. When data is accessed from QuickSight by an IAM Identity Center user, Athena or Lake Formation can make authorization decisions using the permissions defined for their user or group membership from the organization’s identity provider.
Trusted identity propagation with Athena only works when permissions are managed through Lake Formation. User permissions to data reside in Lake Formation.
Prerequisites
Before you get started, make sure that you have the following required prerequisites completed.
Important
As you complete the following prerequisites, note that your IAM Identity Center instance, Athena workgroup, Lake Formation and Amazon S3 Access Grants must all be deployed in the same Amazon Region.
-
Configure your QuickSight account with IAM Identity Center. Trusted identity propagation is only supported for QuickSight accounts that are integrated with IAM Identity Center. For more information, see Configure your Amazon QuickSight account with IAM Identity Center.
Note
To create Athena data sources, you must be an IAM Identity Center user (author) in a QuickSight account that uses IAM Identity Center.
-
An Athena workgroup that is enabled with IAM Identity Center. The Athena workgroup that you use must be using the same IAM Identity Center instance as the QuickSight account. For more information about configuring an Athena workgroup, see Creating an IAM Identity Center enabled Athena workgroup. in the Amazon Athena User Guide.
-
Access to Athena query results bucket is managed with Amazon S3 Access Grants. For more details, see Managing access with Amazon S3 Access Grants in the Amazon S3 User Guide. If your query results are encrypted with an Amazon KMS key, the Amazon S3 Access Grant IAM role and the Athena workgroup role both need permissions to Amazon KMS.
For more information, see Amazon S3 Access Grants and corporate directory identities in the Amazon S3 User Guide.
The Amazon S3 Access Grant role should have the
STS:SetContextaction in its trust policy for identity propagation. To see an example, see Register a location in the Amazon S3 User Guide.
-
Permissions to data must be managed with Lake Formation and Lake Formation must be configured with the same IAM Identity Center instance as QuickSight and the Athena workgroup. For configuration information, see Integrating IAM Identity Center in the Amazon Lake Formation Developer Guide.
-
The data lake administrator needs to grant permissions to IAM Identity Center users and groups in Lake Formation. For more details, Granting permissions to users and groups in the Amazon Lake Formation Developer Guide.
-
The QuickSight administrator needs to authorize connections to Athena. For details, see Authorizing connections to Amazon Athena. Note, with trusted identity propagation, you do not need to give the QuickSight role Amazon S3 bucket permissions or Amazon KMS permissions. You need to keep your users and groups that have permissions to the workgroup in Athena in sync with the Amazon S3 bucket that stores query results with Amazon S3 Access Grants permissions so that users can successfully run queries and retrieve query results in the Amazon S3 bucket using trusted identity propagation.
Configure IAM role with required permissions
To use trusted identity propagation with Athena, your QuickSight account must have the required permissions to access your resources. To provide those permissions, you must configure your QuickSight account to use an IAM role with the permissions.
If your QuickSight account is already using a custom IAM role, you can modify that one. If you do not have an existing IAM role, create one by following the instructions in Create a role for an IAM user in the IAM User Guide.
The IAM role you create or modify must contain the following trust policy and permissions.
Required trust policy
For information about updating the trust policy of an IAM role, see Update a role trust policy.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "QuickSightandAthenaTrust", "Effect": "Allow", "Principal": { "Service": "quicksight.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:SetContext" ] } ] }
Required Athena permissions
For information about updating the trust policy of an IAM role, see Update permissions for a role.
Note
The Resource uses the * wildcard. We recommend that
you update it to include only the Athena resources you want to use with QuickSight.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "athena:BatchGetQueryExecution", "athena:CancelQueryExecution", "athena:GetCatalogs", "athena:GetExecutionEngine", "athena:GetExecutionEngines", "athena:GetNamespace", "athena:GetNamespaces", "athena:GetQueryExecution", "athena:GetQueryExecutions", "athena:GetQueryResults", "athena:GetQueryResultsStream", "athena:GetTable", "athena:GetTables", "athena:ListQueryExecutions", "athena:RunQuery", "athena:StartQueryExecution", "athena:StopQueryExecution", "athena:ListWorkGroups", "athena:ListEngineVersions", "athena:GetWorkGroup", "athena:GetDataCatalog", "athena:GetDatabase", "athena:GetTableMetadata", "athena:ListDataCatalogs", "athena:ListDatabases", "athena:ListTableMetadata" ], "Resource": "*" } ] }
Configure your QuickSight account to use the IAM role
After configuring the IAM role in the previous step, you must configure your QuickSight account to use it. For information about how to do that, see Using existing IAM roles in Amazon QuickSight.
Update the identity propogation config with the Amazon CLI
To authorize QuickSight to propagate end user identities to Athena workgroups, run the
following update-identity-propagation-config API from the Amazon CLI, replacing the following values:
Replace
us-west-2with the Amazon Region that your IAM Identity Center instance is in.Replace
111122223333with your Amazon account ID.
aws quicksight update-identity-propagation-config \ --service ATHENA \ --regionus-west-2\ --aws-account-id111122223333
Create an Athena dataset in QuickSight
Now, create an Athena dataset in QuickSight configured with the IAM Identity Center enabled Athena workgroup you want to connect to. For information about how to create an Athena dataset, see Creating a dataset using Amazon Athena data.
Key callouts, considerations, and limits
The following list contains some important considerations when using trusted identity propagation with QuickSight and Athena.
QuickSight Athena data sources that use trusted identity propagation have Lake Formation permissions evaluated against the IAM Identity Center end user and the IAM Identity Center groups that the user might belong to.
When using Athena data sources that use trusted identity propagation, we recommend any fine tuned access control is done in Lake Formation. However, If you elect to use QuickSight’s scope down policy feature, scope down policies will be evaluated against the end user.
The following features are disabled for data sources and data sets that use trusted identity propagation: SPICE datasets, Custom SQL on data sources, threshold alerts, email reports, Q Topics, stories, scenarios, CSV, Excel, and PDF exports, anomaly detection.
If you experience high latency or timeouts, it may be because of a combination of high number of IAM Identity Center groups, Athena databases, tables, and Lake Formation rules. We recommend trying to use only the necessary number of those resources.