No role to ensure dbt-athena works against restrictive permissions

[brabster]

Re: dbt-labs/dbt-athena#302

This issue lays out a more restrictive permissions setup for Athena that does not allow direct access to S3. I've created an IAM Role & Policy that captures what I think those permissions are. Besides documentation, running a applicable subset of the functional tests against this role should give much greater confidence that the functionality works in the real world.

Resources:
  DbtRestrictiveRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: DbtAthenaRestricted
      AssumeRolePolicyDocument: {
          "Version" : "2012-10-17",
          "Statement": [ {
            "Effect": "Allow",
            "Principal": {
                "AWS": !Join [ ":", ["arn", "aws", "iam", "", !Ref "AWS::AccountId", "root"]]
            },
            "Action": [ "sts:AssumeRole" ]
          } ]
      }
      Description: Minimal permissions policy to run dbt-athena
      Policies:
        - PolicyName: DbtRestrictive
          PolicyDocument: {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": [
                        "athena:ListDataCatalogs",
                        "athena:GetDataCatalog",
                        "athena:ListDatabases",
                        "athena:GetDatabase",
                        "athena:StartQueryExecution",
                        "athena:StopQueryExecution",
                        "athena:GetQueryExecution",
                        "athena:GetQueryResults",
                        "athena:GetWorkGroup",
                        "athena:BatchGetQueryExecution"
                    ],
                    "Effect": "Allow",
                    "Resource": "*",
                    "Sid": "AthenaPermissions"
                },
                {
                    "Action": [
                        "glue:CreateTable",
                        "glue:UpdateTable",
                        "glue:DeleteTable",
                        "glue:GetDatabases",
                        "glue:GetDatabase",
                        "glue:GetTable",
                        "glue:GetTables"
                    ],
                    "Effect": "Allow",
                    "Resource": "*",
                    "Sid": "GlueAthenaPermissions"
                },
                {
                    "Action": [
                        "glue:CreateDatabase",
                        "glue:DeleteDatabase"
                    ],
                    "Effect": "Allow",
                    "Resource": "*",
                    "Sid": "FuncTestPermissions"
                },
                {
                    "Action": [
                        "s3:ListBucket",
                        "s3:GetBucketLocation",
                        "s3:GetObject",
                        "s3:ListBucketMultipartUploads",
                        "s3:ListMultipartUploadParts",
                        "s3:AbortMultipartUpload",
                        "s3:PutObject",
                        "s3:DeleteObject"
                    ],
                    "Effect": "Allow",
                    "Resource": "*",
                    "Sid": "S3ViaAthenaPermissions",
                    "Condition": {
                        "ForAnyValue:StringEquals": {
                            "aws:CalledVia": "athena.amazonaws.com"
                        }
                    }
                }
            ]
        }