How Athena accesses data registered with Lake Formation

The access workflow described in this section applies only when running Athena queries on Amazon S3 locations and metadata objects that are registered with Lake Formation. For more information, see Registering a data lake in the AWS Lake Formation Developer Guide. In addition to registering data, the Lake Formation administrator applies Lake Formation permissions that grant or revoke access to metadata in the Data Catalog and the data location in Amazon S3. For more information, see Security and access control to metadata and data in the AWS Lake Formation Developer Guide.

Each time an Athena principal (user, group, or role) runs a query on data registered using Lake Formation, Lake Formation verifies that the principal has the appropriate Lake Formation permissions to the database, table, and Amazon S3 location as appropriate for the query. If the principal has access, Lake Formation vends temporary credentials to Athena, and the query runs.

The following diagram illustrates the flow described above.

The following diagram shows how credential vending works in Athena on a query-by-query basis for a hypothetical SELECT query on a table with an Amazon S3 location registered in Lake Formation:

1. A principal runs a SELECT query in Athena.

2. Athena analyzes the query and checks Lake Formation permissions to see if the principal has been granted access to the table and table columns.

3. If the principal has access, Athena requests credentials from Lake Formation. If the principal does not have access, Athena issues an access denied error.

4. Lake Formation issues credentials to Athena to use when reading data from Amazon S3, along with the list of allowed columns.

5. Athena uses the Lake Formation temporary credentials to query the data from Amazon S3. After the query completes, Athena discards the credentials.