Allow Access to an Athena Data Connector for External Hive Metastore - Amazon Athena

Allow Access to an Athena Data Connector for External Hive Metastore

The permission policy examples in this topic demonstrate required allowed actions and the resources for which they are allowed. Examine these policies carefully and modify them according to your requirements before you attach similar permissions policies to IAM identities.

Example – Allow an IAM Principal to Query Data Using Athena Data Connector for External Hive Metastore

The following policy is attached to IAM principals in addition to the AmazonAthenaFullAccess Managed Policy, which grants full access to Athena actions.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "lambda:GetFunction", "lambda:GetLayerVersion", "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:*:MyAWSAcctId:function:MyAthenaLambdaFunction", "arn:aws:lambda:*:MyAWSAcctId:function:AnotherAthenaLambdaFunction", "arn:aws:lambda:*:MyAWSAcctId:layer:MyAthenaLambdaLayer:*" ] }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload" ], "Resource": "arn:aws:s3:::MyLambdaSpillBucket/MyLambdaSpillLocation" } ] }
Explanation of Permissions
Allowed Actions Explanation
"s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload"

s3 actions allow reading from and writing to the resource specified as "arn:aws:s3:::MyLambdaSpillBucket/MyLambdaSpillLocation", where MyLambdaSpillLocation identifies the spill bucket that is specified in the configuration of the Lambda function or functions being invoked. The arn:aws:lambda:*:MyAWSAcctId:layer:MyAthenaLambdaLayer:* resource identifier is required only if you use a Lambda layer to create custom runtime dependencies to reduce function artifact size at deployment time. The * in the last position is a wildcard for layer version.

"lambda:GetFunction", "lambda:GetLayerVersion", "lambda:InvokeFunction"
Allows queries to invoke the AWS Lambda functions specified in the Resource block. For example, arn:aws:lambda:*:MyAWSAcctId:function:MyAthenaLambdaFunction, where MyAthenaLambdaFunction specifies the name of a Lambda function to be invoked. Multiple functions can be specified as shown in the example.

Example – Allow an IAM Principal to Create an Athena Data Connector for External Hive Metastore

The following policy is attached to IAM principals in addition to the AmazonAthenaFullAccess Managed Policy, which grants full access to Athena actions.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "lambda:GetFunction", "lambda:ListFunctions", "lambda:GetLayerVersion", "lambda:InvokeFunction", "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:PublishLayerVersion", "lambda:DeleteLayerVersion", "lambda:UpdateFunctionConfiguration", "lambda:PutFunctionConcurrency", "lambda:DeleteFunctionConcurrency" ], "Resource": "arn:aws:lambda:*:MyAWSAcctId: function: MyAthenaLambdaFunctionsPrefix*" } ] }

Explanation of Permissions

Allows queries to invoke the AWS Lambda functions for the AWS Lambda functions specified in the Resource block. For example, arn:aws:lambda:*:MyAWSAcctId:function:MyAthenaLambdaFunction, where MyAthenaLambdaFunction specifies the name of a Lambda function to be invoked. Multiple functions can be specified as shown in the example.