Configure access to workgroups and tags

A workgroup is a resource managed by Athena. Therefore, if your workgroup policy uses actions that take workgroup as an input, you must specify the workgroup's ARN as follows, where workgroup-name is the name of your workgroup:


"Resource": [arn:aws:athena:region:AWSAcctID:workgroup/workgroup-name]

For example, for a workgroup named test_workgroup in the us-west-2 region for Amazon Web Services account 123456789012, specify the workgroup as a resource using the following ARN:


"Resource":["arn:aws:athena:us-east-2:123456789012:workgroup/test_workgroup"]

To access trusted identity propagation (TIP) enabled workgroups, IAM Identity Center users must be assigned to the IdentityCenterApplicationArn that is returned by the response of the Athena GetWorkGroup API action.

For a list of workgroup policies, see Example workgroup policies.
For a list of tag-based policies for workgroups, see Use tag-based IAM access control policies.
For more information about creating IAM policies for workgroups, see Use IAM policies to control workgroup access.
For a complete list of Amazon Athena actions, see the API action names in the Amazon Athena API Reference.
For more information about IAM policies, see Creating policies with the visual editor in the IAM User Guide.

Whenever you use IAM policies, make sure that you follow IAM best practices. For more information, see Security best practices in IAM in the IAM User Guide.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Access to encrypted metadata in the Data Catalog

Use IAM policies to control workgroup access