Actions, resources, and condition keys for Amazon Athena - Service Authorization Reference

Actions, resources, and condition keys for Amazon Athena

Amazon Athena (service prefix: athena) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Athena

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
BatchGetNamedQuery Grants permission to get information about one or more named queries Read

workgroup*

BatchGetPreparedStatement Grants permission to get information about one or more prepared statements Read

workgroup*

BatchGetQueryExecution Grants permission to get information about one or more query executions Read

workgroup*

CancelCapacityReservation Grants permission to cancel a capacity reservation Write

capacity-reservation*

CancelQueryExecution Grants permission to cancel query execution. Deprecated. Applies only to AWS services and principals that use Athena JDBC driver earlier than 1.1.0. Use StopQueryExecution otherwise Write

workgroup*

CreateCapacityReservation Grants permission to create a capacity reservation Write

capacity-reservation*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateDataCatalog Grants permission to create a datacatalog Write

datacatalog*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateNamedQuery Grants permission to create a named query Write

workgroup*

CreateNotebook Grants permission to create a notebook Write

workgroup*

CreatePreparedStatement Grants permission to create a prepared statement Write

workgroup*

CreatePresignedNotebookUrl Grants permission to create a presigned notebook url Write

workgroup*

CreateWorkGroup Grants permission to create a workgroup Write

workgroup*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteCapacityReservation Grants permission to delete a capacity reservation Write

capacity-reservation*

DeleteDataCatalog Grants permission to delete a datacatalog Write

datacatalog*

DeleteNamedQuery Grants permission to delete a named query specified Write

workgroup*

DeleteNotebook Grants permission to delete a notebook Write

workgroup*

DeletePreparedStatement Grants permission to delete a prepared statement specified Write

workgroup*

DeleteWorkGroup Grants permission to delete a workgroup Write

workgroup*

ExportNotebook Grants permission to export a notebook Write

workgroup*

GetCalculationExecution Grants permission to get a calculation execution Read

workgroup*

GetCalculationExecutionCode Grants permission to get a calculation execution code Read

workgroup*

GetCalculationExecutionStatus Grants permission to get a calculation execution status Read

workgroup*

GetCapacityAssignmentConfiguration Grants permission to get capacity assignment information for a capacity reservation Read

capacity-reservation*

GetCapacityReservation Grants permission to get a capacity reservation Read

capacity-reservation*

GetCatalogs Grants permission to enable access to databases and tables. Applies only to AWS services managed policy and principals that use an Athena JDBC driver version 1.1.0 Read
GetDataCatalog Grants permission to get a datacatalog Read

datacatalog*

GetDatabase Grants permission to get a database for a given datacatalog Read

datacatalog*

GetExecutionEngine Grants permission to enable access to the specified database and table. Applies only to AWS services managed policy and principals that use an Athena JDBC driver version 1.1.0 Read
GetExecutionEngines Grants permission to enable access to databases and tables. Applies only to AWS services managed policy and principals that use an Athena JDBC driver version 1.1.0 Read
GetNamedQuery Grants permission to get information about the specified named query Read

workgroup*

GetNamespace Grants permission to enable access to the specified database and table. Applies only to AWS services managed policy and principals that use an Athena JDBC driver version 1.1.0 Read
GetNamespaces Grants permission to enable access to databases and tables. Applies only to AWS services managed policy and principals that use an Athena JDBC driver version 1.1.0 Read
GetNotebookMetadata Grants permission to get notebook metadata Read

workgroup*

GetPreparedStatement Grants permission to get information about the specified prepared statement Read

workgroup*

GetQueryExecution Grants permission to get information about the specified query execution Read

workgroup*

GetQueryExecutions Grants permission to get query executions. Deprecated. Applies only to AWS services and principals that use Athena JDBC driver earlier than 1.1.0. Use ListQueryExecutions otherwise Read
GetQueryResults Grants permission to get the query results Read

workgroup*

GetQueryResultsStream Grants permission to get the query results stream Read

workgroup*

GetQueryRuntimeStatistics Grants permission to get runtime statistics for the specified query execution Read

workgroup*

GetSession Grants permission to get a session Read

workgroup*

GetSessionStatus Grants permission to get a session status Read

workgroup*

GetTable Grants permission to enable access to the specified table. Applies only to AWS services managed policy and principals that use an Athena JDBC driver version 1.1.0 Read
GetTableMetadata Grants permission to get a metadata about a table for a given datacatalog Read

datacatalog*

GetTables Grants permission to enable access to tables. Applies only to AWS services managed policy and principals that use an Athena JDBC driver version 1.1.0 Read
GetWorkGroup Grants permission to get a workgroup Read

workgroup*

ImportNotebook Grants permission to import a notebook Write

workgroup*

ListApplicationDPUSizes Grants permission to return a list of ApplicationRuntimeIds List
ListCalculationExecutions Grants permission to return a list of calculation executions List

workgroup*

ListCapacityReservations Grants permission to return a list of capacity reservations for the specified AWS account List
ListDataCatalogs Grants permission to return a list of datacatalogs for the specified AWS account List
ListDatabases Grants permission to return a list of databases for a given datacatalog List

datacatalog*

ListEngineVersions Grants permission to return a list of athena engine versions for the specified AWS account Read
ListExecutors Grants permission to return a list of executors List
ListNamedQueries Grants permission to return a list of named queries in Amazon Athena for the specified AWS account List

workgroup*

ListNotebookMetadata Grants permission to return a list of notebooks for a given workgroup List

workgroup*

ListNotebookSessions Grants permission to return a list of sessions for a given notebook List

workgroup*

ListPreparedStatements Grants permission to return a list of prepared statements for the specified workgroup List

workgroup*

ListQueryExecutions Grants permission to return a list of query executions for the specified AWS account Read

workgroup*

ListSessions Grants permission to return a list of sessions for a given workgroup List

workgroup*

ListTableMetadata Grants permission to return a list of table metadata in a database for a given datacatalog Read

datacatalog*

ListTagsForResource Grants permission to return a list of tags for a resource Read

capacity-reservation*

datacatalog*

workgroup*

ListWorkGroups Grants permission to return a list of workgroups for the specified AWS account List
PutCapacityAssignmentConfiguration Grants permission to assign capacity from a capacity reservation to queries Write

capacity-reservation*

workgroup*

RunQuery Grants permission to run a query. Deprecated. Applies only to AWS services and principals that use Athena JDBC driver earlier than 1.1.0. Use StartQueryExecution otherwise Write
StartCalculationExecution Grants permission to start a calculation execution Write

workgroup*

StartQueryExecution Grants permission to start a query execution using an SQL query provided as a string Write

workgroup*

StartSession Grants permission to start a session Write

workgroup*

StopCalculationExecution Grants permission to stop a calculation execution Write

workgroup*

StopQueryExecution Grants permission to stop the specified query execution Write

workgroup*

TagResource Grants permission to add a tag to a resource Tagging

capacity-reservation*

datacatalog*

workgroup*

aws:RequestTag/${TagKey}

aws:TagKeys

TerminateSession Grants permission to terminate a session Write

workgroup*

UntagResource Grants permission to remove a tag from a resource Tagging

capacity-reservation*

datacatalog*

workgroup*

aws:TagKeys

UpdateCapacityReservation Grants permission to update a capacity reservation Write

capacity-reservation*

UpdateDataCatalog Grants permission to update a datacatalog Write

datacatalog*

UpdateNamedQuery Grants permission to update a named query specified Write

workgroup*

UpdateNotebook Grants permission to update a notebook Write

workgroup*

UpdateNotebookMetadata Grants permission to update notebook metadata Write

workgroup*

UpdatePreparedStatement Grants permission to update a prepared statement Write

workgroup*

UpdateWorkGroup Grants permission to update a workgroup Write

workgroup*

Resource types defined by Amazon Athena

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
datacatalog arn:${Partition}:athena:${Region}:${Account}:datacatalog/${DataCatalogName}

aws:ResourceTag/${TagKey}

workgroup arn:${Partition}:athena:${Region}:${Account}:workgroup/${WorkGroupName}

aws:ResourceTag/${TagKey}

capacity-reservation arn:${Partition}:athena:${Region}:${Account}:capacity-reservation/${CapacityReservationName}

aws:ResourceTag/${TagKey}

Condition keys for Amazon Athena

Amazon Athena defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by the presence of tag key-value pairs in the request String
aws:ResourceTag/${TagKey} Filters access by the tag key-value pairs attached to the resource String
aws:TagKeys Filters access by the the presence of tag keys in the request ArrayOfString