Amazon Athena

It's time to start the technical onboarding with Catalog. It's pretty simple; you need to grant access to your Athena metadata to Catalog

What is required to complete the onboarding?

You need certain qualifications to complete the onboarding.

Permission to create IAM roles and policies in AWS
Permission to create a user for Catalog, with the roles and policies defined above

1. If needed, whitelist Catalog IP

Here are our fixed IPs:

For instances on app.us.castordoc.com : 34.42.92.72
For instances on app.castordoc.com : 35.246.176.138

2. Create relevant IAM Policies

You'll find below the policy to create, granting only metadata access.

warning

Make sure to replace <regions> and <account_id> with your own.

{
	"Version": "2022-08-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"athena:GetTableMetadata",
				"athena:StartQueryExecution",
				"athena:GetQueryResults",
				"athena:GetDatabase",
				"athena:GetDataCatalog",
				"athena:ListQueryExecutions",
				"athena:GetWorkGroup",
				"athena:StopQueryExecution",
				"athena:GetQueryResultsStream",
				"athena:ListDatabases",
				"athena:GetQueryExecution",
				"athena:ListTableMetadata",
				"athena:BatchGetQueryExecution"
			],
			"Resource": [
				"arn:aws:athena:<region>:<account_id>:datacatalog/*",
				"arn:aws:athena:<region>:<account_id>:workgroup/*"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"glue:GetDatabase",
				"glue:GetDatabases",
				"glue:GetTable",
				"glue:GetTables",
				"glue:GetPartition",
				"glue:GetPartitions",
				"glue:BatchGetPartition"
				"glue:SearchTables",
				"glue:GetTableVersions",
				"glue:GetTableVersion",
				"glue:GetUserDefinedFunctions",
				"glue:GetUserDefinedFunction"
			],
			"Resource": [
				"arn:aws:glue:<region>:<account_id>:tableVersion/*/*/*",
				"arn:aws:glue:<region>:<account_id>:table/*/*",
				"arn:aws:glue:<region>:<account_id>:catalog",
				"arn:aws:glue:<region>:<account_id>:database/*"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"s3:GetBucketLocation",
				"s3:GetObject",
				"s3:ListBucket",
				"s3:ListBucketMultipartUploads",
				"s3:ListMultipartUploadParts",
				"s3:AbortMultipartUpload"
			],
			"Resource": [
				"arn:aws:s3:::aws-athena-query-results-*"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"s3:ListBucket",
				"s3:GetBucketLocation",
				"s3:ListAllMyBuckets"
			],
			"Resource": [
				"*"
			]
		}
	]
}

3. Create a Catalog user

Create a user following these instructions provided by Amazon: Creating an Amazon User.
Add the policy created above to this user

4. Add user's connection info on Catalog

On Catalog's Athena integration page, add your credentials in the following format:

{
	"aws_region": "<your_region>",
	"aws_account_id": "<your_account>",
	"access_key_id": "<your_key_id>",
	"access_key_secret": "<your_secret>"
}

1. If needed, whitelist Catalog IP​

2. Create relevant IAM Policies​

3. Create a Catalog user​

4. Add user's connection info on Catalog​

1. If needed, whitelist Catalog IP

2. Create relevant IAM Policies

3. Create a Catalog user

4. Add user's connection info on Catalog