A workgroup is a resource managed by Athena. Therefore, if your workgroup policy uses
actions that take workgroup as an input, you must specify the workgroup's
ARN as follows, where workgroup-name
"Resource": [arn:aws:athena:region:AWSAcctID:workgroup/workgroup-name]
For example, for a workgroup named test_workgroup in the
us-west-2 region for Amazon Web Services account 123456789012,
specify the workgroup as a resource using the following ARN:
"Resource":["arn:aws:athena:us-east-2:123456789012:workgroup/test_workgroup"]To access trusted identity propagation (TIP) enabled workgroups, IAM Identity Center users must be
assigned to the IdentityCenterApplicationArn that is returned by the
response of the Athena GetWorkGroup API
action.
-
For a list of workgroup policies, see Example workgroup policies.
-
For a list of tag-based policies for workgroups, see Use tag-based IAM access control policies.
-
For more information about creating IAM policies for workgroups, see Use IAM policies to control workgroup access.
-
For a complete list of Amazon Athena actions, see the API action names in the Amazon Athena API Reference.
-
For more information about IAM policies, see Creating policies with the visual editor in the IAM User Guide.
Whenever you use IAM policies, make sure that you follow IAM best practices. For more information, see Security best practices in IAM in the IAM User Guide.
