Athena

Steps to prepare and connect to Athena

Lightup account setup: Athena

  1. Create a new IAM user, and enable Programmatic Access.

    Create a new Athena user accountCreate a new Athena user account

  2. Select Attach existing policies directly, then Create policy.

    Create a new Athena policyCreate a new Athena policy

  3. Use the following template to create the new policy.

❗️

Please replace the following template values with your own data.

  • Replace 000000000000 with your own ID.
  • Change any mention of us-west-2 that's incorrect to the AWS region that applies.
  • Replace athena-s3-result-dir with your actual S3 path.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "athena:GetTableMetadata",
        "athena:StartQueryExecution",
        "athena:GetQueryResultsStream",
        "glue:GetTable",
        "glue:GetTables",
        "athena:GetQueryResults",
        "athena:GetDatabase",
        "athena:GetDataCatalog",
        "athena:GetNamedQuery",
        "athena:ListTagsForResource",
        "athena:ListQueryExecutions",
        "athena:ListNamedQueries",
        "glue:GetDatabase",
        "athena:GetWorkgroup",
        "athena:ListDatabases",
        "athena:StopQueryExecution",
        "athena:GetQueryExecution",
        "athena:BatchGetNamedQuery",
        "athena:ListTableMetadata",
        "athena:BatchGetQueryExecution"
      ],
      "Resource": [
        "arn:aws:glue:us-west-2:000000000000:catalog",
        "arn:aws:glue:us-west-2:000000000000:database/db1",
        "arn:aws:glue:us-west-2:000000000000:database/db2",
        "arn:aws:glue:us-west-2:000000000000:database/db1/*",
        "arn:aws:glue:us-west-2:000000000000:database/db2/*",
        "arn:aws:athena:us-west-2:000000000000:workgroup/primary",
        "arn:aws:athena:us-west-2:000000000000:dataCatalog/AwsDataCatalog"
      ]
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "athena:ListDataCatalogs",
        "athena:ListWorkGroups"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::[athena-s3-result-dir]"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject"
        "s3:GetObject"
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::[athena-s3-result-dir]/*"
      ]
    }
  ]
}
  1. Name the policy and attach the policy to the user.

    • Name the policy athena-read-only, then select Create policy.
800800
  • Select the athena-read-only policy, then select Attach existing policies directly.
16001600
  1. Finish the Add User dialog.

Query governance

Athena datasources support Query date range limit and Query history. For steps, see Set query governance settings for a datasource.

Connector settings

  • Region - Specify the AWS Region where your data is hosted, e.g. "us-west-2".
  • Access Key ID - You'll receive the Access Key ID when you create the new user.
  • Secret Access Key - You'll receive the Secret Access Key when you create the new user.
  • Staging Directory - Enter lightup-athena-staging.

Read more about Athena Regions.


Did this page help you?