•Grants the following IAM permissions to the user to perform operations on Amazon S3 buckets:
s3:GetObject s3:ListBucket
•Grants the required permissions to extract metadata from the Amazon Athena source. See Amazon Athena in the Catalog Source Configuration help.
Create a connection
You use the Amazon Athena connection to connect to the Amazon Athena source system and create schema to use in AWS Glue. Create an Amazon Athena connection object in Administrator.
1In Administrator, select Connections.
2Click New Connection.
3In the Connection Details section, enter the following connection details:
Connection property
Description
Connection Name
Name of the connection.
Each connection name must be unique within the organization. Connection names can contain alphanumeric characters, spaces, and the following special characters: _ . + -,
Maximum length is 255 characters.
Description
Description of the connection. Maximum length is 4000 characters.
4Select the Amazon Athena connection type.
5Enter properties specific to the Amazon Athena connection:
Use Secret Vault
Stores sensitive credentials for this connection in the secrets manager that is configured for your organization.
This property appears only if secrets manager is set up for your organization.
When you enable the secret vault in the connection, you can select which credentials that the Secure Agent retrieves from the secrets manager. If you don't enable this option, the credentials are stored in the repository or on a local Secure Agent, depending on how your organization is configured.
Note: If you’re using this connection to apply data access policies through pushdown or proxy services, you cannot use the Secret Vault configuration option.
Note: If you use a workgroup with customer managed query results, specify at least one of the two parameters in the JDBC URL, either the S3 output location or the workgroup name. For a workgroup with Athena managed query results, specify only the workgroup name and do not include the S3 output location in the JDBC URL.
EC2 instance profile
You can configure AWS Identity and Access Management (IAM) authentication to connect to Amazon Athena when the Secure Agent is installed on an Amazon Elastic Compute Cloud (EC2) system.
The following table describes the basic connection properties for EC2 instance profile authentication:
Note: If you use a workgroup with customer managed query results, specify at least one of the two parameters in the JDBC URL, either the S3 output location or the workgroup name. For a workgroup with Athena managed query results, specify only the workgroup name and do not include the S3 output location in the JDBC URL.
Get AWS Glue source information
Get the connection properties that you need to configure from the AWS Glue administrator.
Note: You don't need to create a connection object for AWS Glue. You provide this information when you configure the catalog source.
The following table describes the properties that you need:
Property
Description
Athena Connection
The Amazon Athena connection object.
Region
The Amazon Web Services region from where you want to run the catalog source job.
Authentication mode
Select the authentication type to connect to Amazon Web Services account.
You can select one of the following authentication types:
- Basic
- Assume Role.
- IAM Roles Anywhere
Basic authentication
This is the default method of authentication. Provide an access key and security key to access the Amazon Web Services account.
The following table describes the connection properties for basic authentication:
Property
Description
Access Key
The access key of the Amazon Web Services account.
Security Key
The security key of the Amazon Web Services account.
Assume Role authentication
Assume Role authentication allows a user or service temporarily inherit permissions from another role. Instead of using permanent credentials, you assume an IAM role to get temporary security credentials. This allows you to access AWS resources securely without sharing credentials.
Provide the IAM Role ARN and, optionally, provide the access key and security key to access the Amazon Web Services account.
Note: Verify that the administrator granted the minimum user permission to access the AWS Glue and Amazon Athena source systems.
The following table describes the connection properties for Assume Role authentication:
Property
Description
IAM Role ARN
The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that the user assumes to use. The user uses the dynamically generated temporary security credentials.
For more information about how to get the ARN of an IAM role, see the AWS documentation.
Access Key
Optional. The access key of the Amazon Web Services account.
Security Key
Optional. The security key of the Amazon Web Services account.
IAM Roles Anywhere authentication
IAM Roles Anywhere authentication allows an external application, user, or system of AWS securely access AWS resources with the X.509 certificates instead of AWS login credentials. This makes it easier and safer to manage access across different environments.
You can provide the credential file path and profile name to access the Amazon Web Services account.
The following table describes the connection properties for IAM Roles Anywhere authentication:
Property
Description
Credential file path
The location of the file containing the credentials used to authenticate the user.
For more information about how to get the AWS credential file path, see the AWS documentation.
Profile name
The profile name that you defined in the credential file for user authentication. If you don't provide the profile name, the authentication process uses the default profile.