Amazon Athena

It is time to start the technical onboarding with Catalog. It is pretty simple: you need to grant access to your Athena metadata to Catalog.

What is required to complete the onboarding?

You need certain qualifications to complete the onboarding:

1. Permission to create IAM roles and policies in AWS
2. Permission to create a user for Catalog, with the roles and policies defined above

1. If Needed, Whitelist Catalog IP

Here are our fixed IPs:

• For instances on app.us.castordoc.com: 34.42.92.72
• For instances on app.castordoc.com: 35.246.176.138

2. Create Relevant IAM Policies

You will find below the policy to create, granting only metadata access.

Replace Placeholders

Make sure to replace <regions> and <account_id> with your own.

{
    "Version": "2022-08-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "athena:GetTableMetadata",
                "athena:StartQueryExecution",
                "athena:GetQueryResults",
                "athena:GetDatabase",
                "athena:GetDataCatalog",
                "athena:ListQueryExecutions",
                "athena:GetWorkGroup",
                "athena:StopQueryExecution",
                "athena:GetQueryResultsStream",
                "athena:ListDatabases",
                "athena:GetQueryExecution",
                "athena:ListTableMetadata",
                "athena:BatchGetQueryExecution"
            ],
            "Resource": [
                "arn:aws:athena:<region>:<account_id>:datacatalog/*",
                "arn:aws:athena:<region>:<account_id>:workgroup/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "glue:GetDatabase",
                "glue:GetDatabases",
                "glue:GetTable",
                "glue:GetTables",
                "glue:GetPartition",
                "glue:GetPartitions",
                "glue:BatchGetPartition",
                "glue:SearchTables",
                "glue:GetTableVersions",
                "glue:GetTableVersion",
                "glue:GetUserDefinedFunctions",
                "glue:GetUserDefinedFunction"
            ],
            "Resource": [
                "arn:aws:glue:<region>:<account_id>:tableVersion/*/*/*",
                "arn:aws:glue:<region>:<account_id>:table/*/*",
                "arn:aws:glue:<region>:<account_id>:catalog",
                "arn:aws:glue:<region>:<account_id>:database/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload"
            ],
            "Resource": [
                "arn:aws:s3:::aws-athena-query-results-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

3. Create a Catalog User

• Create a user following these instructions provided by Amazon: Creating an Amazon User.
• Add the policy created above to this user.

4. Add User Connection Info on Catalog

On Catalog's Athena integration page, add your credentials in the following format:

{
    "aws_region": "<your_region>",
    "aws_account_id": "<your_account>",
    "access_key_id": "<your_key_id>",
    "access_key_secret": "<your_secret>"
}