This question is not answered. A common type of question that comes up in the AWS certification exam is the permissions that can be assigned to an AWS Lambda function. Set SecretKey to the secret access key. We need to include the aws:CalledVia condition to make sure calls from athena succeed, because they will not match our aws:SourceVpc. Posted on: Mar 18, 2020 4:12 AM : Reply: athena, glue, iam, cli. Whoops! Answer it to earn points. IAM Permissions to use Athena. To make this work, we need to add one more statement. UPDATE: We have released a CloudFormation (CF) template that automates setting up Amazon S3 and IAM. Create IAM Policy The policy should allow access to your S3 bucket AWS/Athena/Metadata – View table, query, and catalog metadata. Turbot establishes IAM groups in AWS that support least privilege and separation of duties. Below could be our final Permission Boundary policy: AWS glue IAM permission issue while doing athena startQueryExecution Posted by: narayancbts. I am writing a lambda function that is supposed to initiate a query against Athena, when I execute a start_query_execution it succeeds but when I later try to get the query status I see the following: 'Status': {'State': 'FAILED', 'StateChangeReason': 'Insufficient permissions to execute the query. 2.8.1 Since the corporate user for our AWS account has multi-factor authentication enabled, let’s create a new IAM user and give it all permissions needed to access Athena and S3 . If you signed up for AWS but have not created an IAM user for yourself, you can create one using the IAM console. Creating an IAM role. You don’t need to worry about configuration, software updates, failures, or scaling your infrastructure as your datasets and number of users grow. Athena is unfortunately not a service within our VPC, so calls to S3 using these IAM credentials will fail. An IAM role is an Identity and Access Management entity that defines a set of permissions for making AWS service requests. To configure a virtual connection to Athena you will need to create a dedicated IAM role in your Amazon Web Services (AWS) console and enter the AWS Amazon Resource Name (ARN) for it in the Add a new connection dialog. IAM Roles for AWS Lambda Function. Create an IAM user, and then add the user to an IAM group with administrative permissions or grant this user administrative permissions. To authorize Amazon Athena requests, provide the credentials for an administrator account or for an IAM user with custom permissions: Set AccessKey to the access key Id. We suggest starting with CF vs the manual steps below. Our next step involves creating an IAM role to allow the crawler to have permission to access the data that we have put in S3. You can then access AWS using a special URL and the credentials for the IAM user. You haven’t given the user in question (athena-user, in this case) permissions to actually use Athena. Note: Though you can connect as the AWS account administrator, it is recommended to use IAM user credentials to access AWS services. Groups specifically created for Athena are: AWS/Athena/Admin – Manage tables, queries, and catalogs. This is done by assigning the below mentioned policies to that IAM … The first thing you’ll need to do is create an IAM user that will have permissions to run queries with Amazon Athena and access the S3 buckets that contain your data. Let’s understand IAM roles for AWS Lambda function through an example: In this example, we will make AWS Lambda run an AWS Athena query against a CSV file in S3. Assumptions: Account A (S3 Bucket ) Account B (Athena query) Let's start with Account A: Locate the S3 Bucket Object Permissions Tab; Either edit ACL of the S3 Bucket Object or add a Bucket policy To create the role, however, you will need to first get the AWS External ID from the bottom of the connection dialog. Amazon Athena is a serverless platform, so there is no infrastructure to manage. You need to do so by associating the AmazonAthenaFullAccess policy with the IAM user in question: More information on this topic can be found here.