# Amazon Athena {% embed url="" %} As a best practice, set up a dedicated AWS IAM Service Account user and assign it a specific role(s) before configuring Connecty. This approach isolates your integration credentials and simplifies permission management, ensuring a seamless no-code connection. Connecty AI offers the most complete experience when your Athena catalog is AWS Glue; in this setup we can surface richer table and column metadata. Other catalog types (e.g., external Hive metastores or Athena Federated Query sources) are supported for querying, but metadata coverage may be limited. This does not affect query execution. ### Prerequisites * Service Account user with CLI access credentials available. * Dedicated IAM role which provide access to Amazon Athena and related resources (Glue and S3) and can be assumed by the Service Account. * Dedicated output location on S3 bucket. * AWS region in which Amazon Athena catalog is stored. ### Service Account Service Account (SA) is a technical IAM user which is created primarily for other programs to access some of AWS resources. A good practice is to limit SA permissions to just one - to assume IAM role which would cover set of permissions for that user. Once the SA use is created, we should generate credentials. It can be done in `AWS IAM -> your SA user name -> Security Credentials -> Create Access Key` . That should generate `aws_access_key_id` and `aws_secret_access_key`. Examples: * ✅ `AKIAIOSFODNN7EXAMPLE` (Access Key ID) * ✅ `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY` (Secret Access Key) ### AWS Role To enable Connecty AI access to your Amazon Athena catalog, there needs to be an AWS IAM Role, which can be assumed by the Service Account and has permissions, to access the Amazon Athena catalog. Please make sure that the new IAM Role dedicated for Connecty AI access has trust relationship set up, like this: ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowConnectyAIUserToAssume", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT:user/SA_USER_NAME" }, "Action": "sts:AssumeRole" } ] } ``` To fully enable ConnectyAI to access your Amazon Athena catalog, that new IAM Role should attach an IAM Policy which contains at least the following permissions. Please update `resource` accordingly to your Amazon Athena configuration. ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "AthenaListGlobal", "Effect": "Allow", "Action": [ "athena:ListWorkGroups", "athena:ListDataCatalogs" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestedRegion": "REGION" } } }, { "Sid": "AthenaListDatabasesAndTablesInAllowedCatalogs", "Effect": "Allow", "Action": [ "athena:ListDatabases", "athena:ListTableMetadata" ], "Resource": [ "arn:aws:athena:REGION:ACCOUNT:datacatalog/AwsDataCatalog", "arn:aws:athena:REGION:ACCOUNT:datacatalog/anotherCatalog" ] }, { "Sid": "AthenaStartQueryInWorkgroupAndDb", "Effect": "Allow", "Action": "athena:StartQueryExecution", "Resource": "arn:aws:athena:REGION:ACCOUNT:workgroup/primary" }, { "Sid": "AthenaReadExecAndHistory", "Effect": "Allow", "Action": [ "athena:GetQueryExecution", "athena:GetQueryResults", "athena:BatchGetQueryExecution", "athena:ListQueryExecutions" ], "Resource": "arn:aws:athena:REGION:ACCOUNT:workgroup/primary" }, { "Sid": "GlueReadOnly", "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions" ], "Resource": [ "arn:aws:glue:REGION:ACCOUNT:*" ] }, { "Sid": "ReadDataBucket", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::SOURCE_BUCKET" }, { "Sid": "ReadDataObjects", "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::SOURCE_BUCKET/*" }, { "Sid": "WriteResultsBucket", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::OUTPUT_BUCKET" }, { "Sid": "PutResultsObjects", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject" ], "Resource": "arn:aws:s3:::OUTPUT_BUCKET/*" } ] } ``` In some cases permissions listed above might be configured on AWS IAM User level, opposed to defined within a AWS IAM Role which is assumed by the SA user, in those cases there is no need to pass `AWS Role ARN` in the new Connection form. In case of catalogs other than AWS Glue, the permissions above need to be extended accordingly—for example, allow `athena:ListDatabases/athena:ListTableMetadata` on the specific Data Catalog ARNs, and for Federated Query also allow `lambda:InvokeFunction` (connector), plus any required Secrets Manager/KMS access. ### S3 Bucket output location The `S3 Output Location` in the Connection form states the S3 Bucket path where AWS Athenea will write query results and metadata. SA user needs to have write access to that location. Examples: * ✅ `s3://analytics-prod/athena/results/` * ❌ `s3://analytics-prod/athena/results` (does not include trailing slash) * ❌ `https://s3.amazonaws.com/analytics-prod/athena/results/` (user `s3://` protocol, instead of `HTTP` URI). ### Workgroup The `workgroup` parameter in the Connection form represents Amazon Athena `workgroup` , which determines execution settings and query configurations. This is optional parameter. If left empty, then default `primary` work group will be used. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://connectyai.gitbook.io/documentation/getting-started/data-connections-guide/amazon-athena.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.