Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Allow access to the Athena Data Connector for External Hive Metastore

Focus mode
Allow access to the Athena Data Connector for External Hive Metastore - Amazon Athena

The permission policy examples in this topic demonstrate required allowed actions and the resources for which they are allowed. Examine these policies carefully and modify them according to your requirements before you attach similar permissions policies to IAM identities.

Example
– Allow an IAM principal to query data using Athena Data Connector for External Hive Metastore

The following policy is attached to IAM principals in addition to the AWS managed policy: AmazonAthenaFullAccess, which grants full access to Athena actions.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "lambda:GetFunction", "lambda:GetLayerVersion", "lambda:InvokeFunction" ], "Resource": [ "arn:aws:lambda:*:111122223333:function:MyAthenaLambdaFunction", "arn:aws:lambda:*:111122223333:function:AnotherAthenaLambdaFunction", "arn:aws:lambda:*:111122223333:layer:MyAthenaLambdaLayer:*" ] }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload" ], "Resource": "arn:aws:s3:::MyLambdaSpillBucket/MyLambdaSpillLocation" } ] }
Explanation of permissions
Allowed actions Explanation
"s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:PutObject", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload"

s3 actions allow reading from and writing to the resource specified as "arn:aws:s3:::MyLambdaSpillBucket/MyLambdaSpillLocation", where MyLambdaSpillLocation identifies the spill bucket that is specified in the configuration of the Lambda function or functions being invoked. The arn:aws:lambda:*:MyAWSAcctId:layer:MyAthenaLambdaLayer:* resource identifier is required only if you use a Lambda layer to create custom runtime dependencies to reduce function artifact size at deployment time. The * in the last position is a wildcard for layer version.

"lambda:GetFunction", "lambda:GetLayerVersion", "lambda:InvokeFunction"
Allows queries to invoke the AWS Lambda functions specified in the Resource block. For example, arn:aws:lambda:*:MyAWSAcctId:function:MyAthenaLambdaFunction, where MyAthenaLambdaFunction specifies the name of a Lambda function to be invoked. Multiple functions can be specified as shown in the example.
Example
– Allow an IAM principal to create an Athena Data Connector for External Hive Metastore

The following policy is attached to IAM principals in addition to the AWS managed policy: AmazonAthenaFullAccess, which grants full access to Athena actions.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "lambda:GetFunction", "lambda:ListFunctions", "lambda:GetLayerVersion", "lambda:InvokeFunction", "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:PublishLayerVersion", "lambda:DeleteLayerVersion", "lambda:UpdateFunctionConfiguration", "lambda:PutFunctionConcurrency", "lambda:DeleteFunctionConcurrency" ], "Resource": "arn:aws:lambda:*:111122223333: function: MyAthenaLambdaFunctionsPrefix*" } ] }

Explanation of Permissions

Allows queries to invoke the AWS Lambda functions for the AWS Lambda functions specified in the Resource block. For example, arn:aws:lambda:*:MyAWSAcctId:function:MyAthenaLambdaFunction, where MyAthenaLambdaFunction specifies the name of a Lambda function to be invoked. Multiple functions can be specified as shown in the example.

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.