# Trusted identity propagation with Amazon Athena The steps to enable trusted identity propagation depend on whether your users interact with Amazon managed applications or customer managed applications. The following diagram shows a trusted identity propagation configuration for client-facing applications - either Amazon managed or external to Amazon - that uses Amazon Athena to query Amazon S3 data with access control provided by Amazon Lake Formation and Amazon S3 Access Grants. **Note** Trusted identity propagation with Amazon Athena requires the use of Trino. Apache Spark and SQL clients connected to Amazon Athena via ODBC and JDBC drivers are not supported. ![\[Diagram of trusted identity propagation using Athena, Amazon EMR, Lake Formation, and IAM Identity Center\]](http://docs.amazonaws.cn/en_us/singlesignon/latest/userguide/images/ate-tip-diagram.png) **Amazon managed applications** The following Amazon managed client-facing application supports trusted identity propagation with Athena: + Amazon EMR Studio **To enable trusted identity propagation, follow these steps:** + [Set up Amazon EMR Studio](setting-up-tip-emr.md) as the client-facing application for Athena. The Query Editor in EMR Studio is needed to run Athena Queries when trusted identity propagation is enabled. + [Set up Athena Workgroup](setting-up-tip-ate.md). + [Set up Amazon Lake Formation](tip-tutorial-lf.md) to enable fine-grained access control for Amazon Glue tables based on the user or group in IAM Identity Center. + [Set up Amazon S3 Access Grants](tip-tutorial-s3.md) to enable temporary access to the underlying data locations in S3. **Note** Both Lake Formation and Amazon S3 Access Grants are required for access control to Amazon Glue Data Catalog and for Athena query results in Amazon S3. **Customer managed applications** To enable trusted identity propagation for users of *custom-developed applications*, see to [Access Amazon Web Services services programmatically using trusted identity propagation](https://amazonaws-china.com/blogs//security/access-aws-services-programmatically-using-trusted-identity-propagation/) in the *Amazon Security Blog*.