Connections > Amazon Athena connection properties > Prepare for authentication

Prepare for authentication

You can configure permanent IAM credentials and EC2 instance profile authentication types to access Amazon Athena.

To use the permanent IAM credentials authentication, create an IAM user and generate the access and secret key in the AWS Console. Keep these details handy to use in the connection properties.

To use EC2 instance profile authentication, install the Secure Agent on an EC2 instance and attach the EC2 role to the EC2 instance.

Before you configure the connection properties, create the minimal Amazon S3 policy, AWS Glue data catalog policy, and the Amazon Athena policies and define the required permissions for the IAM user or EC2 role in the policies.

Attach the policies to the IAM user or EC2 role based on the authentication type you want to configure.

Create an Amazon S3 policy

Create an Amazon S3 policy and define the permissions to store Amazon Athena results on Amazon S3.

Use the following minimum required permissions to store Amazon Athena results on Amazon S3:

•PutObject
•GetObject
•DeleteObject
•ListBucket
•GetBucketLocation
•ListAllMyBuckets
•GetBucketAcl

You can use the following sample Amazon S3 policy:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket",
"s3:DeleteObject"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:GetBucketAcl"
],
"Resource": [
"*"
]
}
]
}

Create an AWS Glue data catalog policy

You can use AWS IAM to define policies and roles to access resources used by AWS Glue.

Amazon Athena uses the AWS Glue Data Catalog to store and retrieve table metadata for the Amazon S3 data in your AWS account.

You can use the following sample policy for AWS Glue Data Catalog:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"glue:*",
],
"Resource": [
"*"
]
}
]
}

Create an Amazon Athena policy

Specify the minimum required permissions for Amazon Athena Connector to read data from views and external tables in the AWS Glue data catalog and to read and query Amazon S3 files.

You can use the following minimum required permissions:

•GetWorkGroup
•GetTableMetadata
•StartQueryExecution
•GetQueryResultsStream
•ListDatabases
•GetQueryExecution
•GetQueryResults
•GetDatabase
•ListTableMetadata
•GetDataCatalog
•CreatePreparedStatement
•DeletePreparedStatement

You can use the following sample policy for Amazon Athena:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"athena:GetWorkGroup",
"athena:GetTableMetadata",
"athena:StartQueryExecution",
"athena:GetQueryResultsStream",
"athena:ListDatabases",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetDatabase",
"athena:ListTableMetadata",
"athena:GetDataCatalog"
"athena:CreatePreparedStatement",
"athena:DeletePreparedStatement"
],
"Resource": [
"arn:aws:athena:*:*:workgroup/*",
"arn:aws:athena:*:*:datacatalog/*"
]
},
{
"Effect": "Allow",
"Action": [
"athena:ListDataCatalogs",
"athena:ListWorkGroups"
],
"Resource": "*"
}
]
}