Amazon Athena

It's time to start the technical onboarding with Catalog. It's pretty simple; you need to grant access to your Athena metadata to Catalog

What is required to complete the onboarding?

You need certain qualifications to complete the onboarding.

  1. Permission to create IAM roles and policies in AWS

  2. Permission to create a user for Catalog, with the roles and policies defined above

1. If needed, whitelist Catalog IP

Here is our fixed IP: 35.246.176.138

2. Create relevant IAM Policies

You'll find below the policy to create, granting only metadata access.

{
	"Version": "2022-08-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"athena:GetTableMetadata",
				"athena:StartQueryExecution",
				"athena:GetQueryResults",
				"athena:GetDatabase",
				"athena:GetDataCatalog",
				"athena:ListQueryExecutions",
				"athena:GetWorkGroup",
				"athena:StopQueryExecution",
				"athena:GetQueryResultsStream",
				"athena:ListDatabases",
				"athena:GetQueryExecution",
				"athena:ListTableMetadata",
				"athena:BatchGetQueryExecution"
			],
			"Resource": [
				"arn:aws:athena:<region>:<account_id>:datacatalog/*",
				"arn:aws:athena:<region>:<account_id>:workgroup/*"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"glue:GetDatabase",
				"glue:GetDatabases",
				"glue:GetTable",
				"glue:GetTables",
				"glue:GetPartition",
				"glue:GetPartitions",
				"glue:BatchGetPartition"
				"glue:SearchTables",
				"glue:GetTableVersions",
				"glue:GetTableVersion",
				"glue:GetUserDefinedFunctions",
				"glue:GetUserDefinedFunction"
			],
			"Resource": [
				"arn:aws:glue:<region>:<account_id>:tableVersion/*/*/*",
				"arn:aws:glue:<region>:<account_id>:table/*/*",
				"arn:aws:glue:<region>:<account_id>:catalog",
				"arn:aws:glue:<region>:<account_id>:database/*"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"s3:GetBucketLocation",
				"s3:GetObject",
				"s3:ListBucket",
				"s3:ListBucketMultipartUploads",
				"s3:ListMultipartUploadParts",
				"s3:AbortMultipartUpload"
			],
			"Resource": [
				"arn:aws:s3:::aws-athena-query-results-*"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"s3:ListBucket",
				"s3:GetBucketLocation",
				"s3:ListAllMyBuckets"
			],
			"Resource": [
				"*"
			]
		}
	]
}

3. Create a Catalog user

  • Create a user following these instructions provided by Amazon: Creating an Amazon User.

  • Add the policy created above to this user

4. Add user's connection info on Catalog

On Catalog's Athena integration page, add your credentials in the following format:

{
	"aws_region": "<your_region>",
	"aws_account_id": "<your_account>",
	"access_key_id": "<your_key_id>",
	"access_key_secret": "<your_secret>"
}

Last updated

Was this helpful?