Allow access to Athena UDFs: Example policies
The permission policy examples in this topic demonstrate required allowed actions and the resources for which they are allowed. Examine these policies carefully and modify them according to your requirements before you attach similar permissions policies to IAM identities.
Example – Allow an IAM principal to run and return queries that contain an Athena UDF statement
The following identity-based permissions policy allows actions that a user or other IAM principal requires to run queries that use Athena UDF statements.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "athena:StartQueryExecution", "lambda:InvokeFunction", "athena:GetQueryResults", "s3:ListMultipartUploadParts", "athena:GetWorkGroup", "s3:PutObject", "s3:GetObject", "s3:AbortMultipartUpload", "athena:StopQueryExecution", "athena:GetQueryExecution", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:athena:*:
MyAWSAcctId
:workgroup/MyAthenaWorkGroup
", "arn:aws:s3:::MyQueryResultsBucket
/*", "arn:aws:lambda:*:MyAWSAcctId
:function:OneAthenaLambdaFunction
", "arn:aws:lambda:*:MyAWSAcctId
:function:AnotherAthenaLambdaFunction
" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "athena:ListWorkGroups", "Resource": "*" } ] }
Explanation of permissions | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Allowed actions | Explanation | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Athena permissions that are required to run queries in the
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Allows queries to invoke the AWS Lambda functions specified in the
Resource block. For example,
arn:aws:lambda:*: ,
where MyAthenaLambdaFunction specifies the
name of a Lambda function to be invoked. Multiple functions can be
specified as shown in the example. |
Example – Allow an IAM principal to create an Athena UDF
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "lambda:CreateFunction", "lambda:ListVersionsByFunction", "iam:CreateRole", "lambda:GetFunctionConfiguration", "iam:AttachRolePolicy", "iam:PutRolePolicy", "lambda:PutFunctionConcurrency", "iam:PassRole", "iam:DetachRolePolicy", "lambda:ListTags", "iam:ListAttachedRolePolicies", "iam:DeleteRolePolicy", "lambda:DeleteFunction", "lambda:GetAlias", "iam:ListRolePolicies", "iam:GetRole", "iam:GetPolicy", "lambda:InvokeFunction", "lambda:GetFunction", "lambda:ListAliases", "lambda:UpdateFunctionConfiguration", "iam:DeleteRole", "lambda:UpdateFunctionCode", "s3:GetObject", "lambda:AddPermission", "iam:UpdateRole", "lambda:DeleteFunctionConcurrency", "lambda:RemovePermission", "iam:GetRolePolicy", "lambda:GetPolicy" ], "Resource": [ "arn:aws:lambda:*:
111122223333
:function:MyAthenaLambdaFunctionsPrefix
*", "arn:aws:s3:::awsserverlessrepo-changesets-1iiv3xa62ln3m
/*", "arn:aws:iam::*:role/RoleName
", "arn:aws:iam::111122223333
:policy/*" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "cloudformation:CreateUploadBucket", "cloudformation:DescribeStackDriftDetectionStatus", "cloudformation:ListExports", "cloudformation:ListStacks", "cloudformation:ListImports", "lambda:ListFunctions", "iam:ListRoles", "lambda:GetAccountSettings", "ec2:DescribeSecurityGroups", "cloudformation:EstimateTemplateCost", "ec2:DescribeVpcs", "lambda:ListEventSourceMappings", "cloudformation:DescribeAccountLimits", "ec2:DescribeSubnets", "cloudformation:CreateStackSet", "cloudformation:ValidateTemplate" ], "Resource": "*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": "cloudformation:*", "Resource": [ "arn:aws:cloudformation:*:111122223333
:stack/aws-serverless-repository-MyCFStackPrefix
*/*", "arn:aws:cloudformation:*:111122223333
:stack/serverlessrepo-MyCFStackPrefix
*/*", "arn:aws:cloudformation:*:*:transform/Serverless-*", "arn:aws:cloudformation:*:111122223333
:stackset/aws-serverless-repository-MyCFStackPrefix
*:*", "arn:aws:cloudformation:*:111122223333
:stackset/serverlessrepo-MyCFStackPrefix
*:*" ] }, { "Sid": "VisualEditor3", "Effect": "Allow", "Action": "serverlessrepo:*", "Resource": "arn:aws:serverlessrepo:*:*:applications/*" } ] }
Explanation of permissions | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Allowed actions | Explanation | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Allow the creation and management of Lambda functions listed as
resources. In the example, a name prefix is used in the resource
identifier
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Allows reading of a bucket that AWS Serverless Application Repository requires as specified by the
resource identifier
arn:aws:s3:::awsserverlessrepo-changesets- . |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Allows the creation and management of AWS CloudFormation stacks specified by
the resource |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Allows searching, viewing, publishing, and updating applications in
the AWS Serverless Application Repository, specified by the resource identifier
arn:aws:serverlessrepo:*:*:applications/* . |