Trusted identity propagation with Amazon Athena
The steps to enable trusted identity propagation depend on whether your users interact with Amazon managed applications or customer managed applications. The following diagram shows a trusted identity propagation configuration for client-facing applications - either Amazon managed or external to Amazon - that uses Amazon Athena to query Amazon S3 data with access control provided by Amazon Lake Formation and Amazon S3 Access Grants.
Note
-
Trusted identity propagation with Amazon Athena requires the use of Trino.
-
Apache Spark and SQL clients connected to Amazon Athena via ODBC and JDBC drivers are not supported.
Amazon managed applications
The following Amazon managed client-facing application supports trusted identity propagation with Athena:
-
Amazon EMR Studio
To enable trusted identity propagation, follow these steps:
-
Set up Amazon EMR Studio as the client-facing application for Athena. The Query Editor in EMR Studio is needed to run Athena Queries when trusted identity propagation is enabled.
-
Set up Amazon Lake Formation to enable fine-grained access control for Amazon Glue tables based on the user or group in IAM Identity Center.
-
Set up Amazon S3 Access Grants to enable temporary access to the underlying data locations in S3.
Note
Both Lake Formation and Amazon S3 Access Grants are required for access control to Amazon Glue Data Catalog and for Athena query results in Amazon S3.
Customer managed applications
To enable trusted identity propagation for users of
custom-developed applications, see to Access Amazon Web Services services programmatically using trusted identity
propagation