AWS Athena

1. In Polytomic, go to Connections → Add Connection → AWS Athena:

2. If authenticating with an AWS Access Key and Secret, fill in the following fields:

• AWS Access ID
• AWS Secret Access Key
  Alternatively, if authenticating with an IAM role, switch the Authentication Method dropdown to IAM role and enter your IAM role ARN:

3. Fill in the following fields:

• AWS region (e.g. us-west-1)
• AWS S3 output bucket

4. Click Save.

IAM Permissions

Polytomic uses the following IAM Actions when introspecting Athena. Most users will grant these to the catalogs, databases, and tables they wish to use with Polytomic.

• athena:GetNamedQuery
• athena:GetDataCatalog
• athena:GetPreparedStatement
• athena:GetQueryExecution
• athena:GetQueryResults
• athena:GetQueryResultsStream
• athena:GetTableMetadata
• athena:GetWorkGroup
• athena:ListTableMetadata
• athena:ListDataCatalogs
• athena:ListDatabases
• athena:StartQueryExecution
• athena:StopQueryExecution
• glue:GetTables
• glue:GetTable
• glue:CancelStatement
• glue:GetDatabase
• glue:GetDatabases
• glue:SearchTables

Note: the user or IAM role must also have permission to access the underlying data in S3.

• On the buckets where data is stored (e.g. arn:aws:s3:::my-bucket)
  • s3:ListBucket on any buckets where data is stored
  • s3:GetBucketLocation on any buckets where data is stored
• On the bucket objects where data is stored (e.g. arn:aws:s3::my-bucket/*):
  • s3:GetObject
• On the bucket where results will be written:
  • s3:GetObject
  • s3:PutObject
  • s3:DeleteObject
  • s3:AbortMultipartUpload
  • s3:ListmultipartUploadParts

If you would like to write to Athena, make sure to add these permissions as well:

• glue:CreateTable
• glue:UpdateTable
• glue:DeleteTable
• glue:CreateDatabase

If you'd like to use the 'tags' functionality, please make sure to include the sts:TagSession permission in addition to the sts:AssumeRole permission.