Creating an IAM role. Amazon Athena is a serverless platform, so there is no infrastructure to manage. Athena is unfortunately not a service within our VPC, so calls to S3 using these IAM credentials will fail. A common type of question that comes up in the AWS certification exam is the permissions that can be assigned to an AWS Lambda function. IAM Permissions to use Athena. Our next step involves creating an IAM role to allow the crawler to have permission to access the data that we have put in S3. You need to do so by associating the AmazonAthenaFullAccess policy with the IAM user in question: More information on this topic can be found here. To create the role, however, you will need to first get the AWS External ID from the bottom of the connection dialog. IAM Roles for AWS Lambda Function. An IAM role is an Identity and Access Management entity that defines a set of permissions for making AWS service requests. This is done by assigning the below mentioned policies to that IAM … Create an IAM user, and then add the user to an IAM group with administrative permissions or grant this user administrative permissions. You don’t need to worry about configuration, software updates, failures, or scaling your infrastructure as your datasets and number of users grow. Set SecretKey to the secret access key. 2.8.1 Since the corporate user for our AWS account has multi-factor authentication enabled, let’s create a new IAM user and give it all permissions needed to access Athena and S3 . To configure a virtual connection to Athena you will need to create a dedicated IAM role in your Amazon Web Services (AWS) console and enter the AWS Amazon Resource Name (ARN) for it in the Add a new connection dialog. You can then access AWS using a special URL and the credentials for the IAM user. Groups specifically created for Athena are: AWS/Athena/Admin – Manage tables, queries, and catalogs. UPDATE: We have released a CloudFormation (CF) template that automates setting up Amazon S3 and IAM. We suggest starting with CF vs the manual steps below. Create IAM Policy The policy should allow access to your S3 bucket AWS glue IAM permission issue while doing athena startQueryExecution Posted by: narayancbts. Note: Though you can connect as the AWS account administrator, it is recommended to use IAM user credentials to access AWS services. AWS/Athena/Metadata – View table, query, and catalog metadata. Assumptions: Account A (S3 Bucket ) Account B (Athena query) Let's start with Account A: Locate the S3 Bucket Object Permissions Tab; Either edit ACL of the S3 Bucket Object or add a Bucket policy Whoops! Posted on: Mar 18, 2020 4:12 AM : Reply: athena, glue, iam, cli. Turbot establishes IAM groups in AWS that support least privilege and separation of duties. I am writing a lambda function that is supposed to initiate a query against Athena, when I execute a start_query_execution it succeeds but when I later try to get the query status I see the following: 'Status': {'State': 'FAILED', 'StateChangeReason': 'Insufficient permissions to execute the query. To authorize Amazon Athena requests, provide the credentials for an administrator account or for an IAM user with custom permissions: Set AccessKey to the access key Id. We need to include the aws:CalledVia condition to make sure calls from athena succeed, because they will not match our aws:SourceVpc. If you signed up for AWS but have not created an IAM user for yourself, you can create one using the IAM console. Answer it to earn points. Let’s understand IAM roles for AWS Lambda function through an example: In this example, we will make AWS Lambda run an AWS Athena query against a CSV file in S3. You haven’t given the user in question (athena-user, in this case) permissions to actually use Athena. Below could be our final Permission Boundary policy: This question is not answered. The first thing you’ll need to do is create an IAM user that will have permissions to run queries with Amazon Athena and access the S3 buckets that contain your data. To make this work, we need to add one more statement.