From b2a88f6b1a67686135272e46728e55b3bac5d5e4 Mon Sep 17 00:00:00 2001 From: Ayush Shah Date: Mon, 6 Nov 2023 15:55:47 +0530 Subject: [PATCH] Remove Excess Permissions for athena --- .../connectors/database/athena/airflow.md | 77 +++--------------- .../v1.0.x/connectors/database/athena/cli.md | 78 ++++--------------- .../connectors/database/athena/index.md | 78 ++++--------------- .../connectors/database/athena/index.md | 78 ++++--------------- .../v1.1.x/connectors/database/athena/yaml.md | 78 ++++--------------- .../connectors/database/athena/index.md | 78 ++++--------------- .../v1.2.x/connectors/database/athena/yaml.md | 78 ++++--------------- .../public/locales/en-US/Database/Athena.md | 78 ++++--------------- 8 files changed, 103 insertions(+), 520 deletions(-) diff --git a/openmetadata-docs/content/v1.0.x/connectors/database/athena/airflow.md b/openmetadata-docs/content/v1.0.x/connectors/database/athena/airflow.md index 7cd829efddc6..ec2ba095fa09 100644 --- a/openmetadata-docs/content/v1.0.x/connectors/database/athena/airflow.md +++ b/openmetadata-docs/content/v1.0.x/connectors/database/athena/airflow.md @@ -61,7 +61,6 @@ This policy groups the following permissions: - `athena` – Allows the principal to run queries on Athena resources. - `glue` – Allows principals access to AWS Glue databases, tables, and partitions. This is required so that the principal can use the AWS Glue Data Catalog with Athena. -- `s3` – Allows the principal to write and read query results from Amazon S3. - `lakeformation` – Allows principals to request temporary credentials to access data in a data lake location that is registered with Lake Formation. And is defined as: @@ -73,74 +72,15 @@ And is defined as: { "Effect": "Allow", "Action": [ - "athena:BatchGetQueryExecution", - "athena:GetQueryExecution", - "athena:GetQueryResults", - "athena:GetQueryResultsStream", - "athena:ListQueryExecutions", - "athena:StartQueryExecution", - "athena:StopQueryExecution", - "athena:ListWorkGroups", - "athena:ListEngineVersions", - "athena:GetWorkGroup", - "athena:GetDataCatalog", - "athena:GetDatabase", "athena:GetTableMetadata", - "athena:ListDataCatalogs", "athena:ListDatabases", - "athena:ListTableMetadata" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "glue:CreateDatabase", - "glue:DeleteDatabase", - "glue:GetDatabase", + "athena:ListTableMetadata", + "athena:GetQueryExecution", + "athena:StartQueryExecution", + "athena:GetQueryResults", "glue:GetDatabases", - "glue:UpdateDatabase", - "glue:CreateTable", - "glue:DeleteTable", - "glue:BatchDeleteTable", - "glue:UpdateTable", - "glue:GetTable", "glue:GetTables", - "glue:BatchCreatePartition", - "glue:CreatePartition", - "glue:DeletePartition", - "glue:BatchDeletePartition", - "glue:UpdatePartition", - "glue:GetPartition", - "glue:GetPartitions", - "glue:BatchGetPartition" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "s3:GetBucketLocation", - "s3:GetObject", - "s3:ListBucket", - "s3:ListBucketMultipartUploads", - "s3:ListMultipartUploadParts", - "s3:AbortMultipartUpload", - "s3:CreateBucket", - "s3:PutObject", - "s3:PutBucketPublicAccessBlock" - ], - "Resource": [ - "arn:aws:s3:::aws-athena-query-results-*" - ] - }, - { - "Effect": "Allow", - "Action": [ + "glue:GetTable", "lakeformation:GetDataAccess" ], "Resource": [ @@ -151,6 +91,13 @@ And is defined as: } ``` + +{% note %} + +If you have external services other than glue and facing permission issues, add the permissions to the list above. + +{% /note %} + You can find further information on the Athena connector in the [docs](https://docs.open-metadata.org/connectors/database/athena). ### Python Requirements diff --git a/openmetadata-docs/content/v1.0.x/connectors/database/athena/cli.md b/openmetadata-docs/content/v1.0.x/connectors/database/athena/cli.md index 4a58ee5dc4c9..1f14745f92f4 100644 --- a/openmetadata-docs/content/v1.0.x/connectors/database/athena/cli.md +++ b/openmetadata-docs/content/v1.0.x/connectors/database/athena/cli.md @@ -61,7 +61,6 @@ This policy groups the following permissions: - `athena` – Allows the principal to run queries on Athena resources. - `glue` – Allows principals access to AWS Glue databases, tables, and partitions. This is required so that the principal can use the AWS Glue Data Catalog with Athena. -- `s3` – Allows the principal to write and read query results from Amazon S3. - `lakeformation` – Allows principals to request temporary credentials to access data in a data lake location that is registered with Lake Formation. And is defined as: @@ -73,74 +72,15 @@ And is defined as: { "Effect": "Allow", "Action": [ - "athena:BatchGetQueryExecution", - "athena:GetQueryExecution", - "athena:GetQueryResults", - "athena:GetQueryResultsStream", - "athena:ListQueryExecutions", - "athena:StartQueryExecution", - "athena:StopQueryExecution", - "athena:ListWorkGroups", - "athena:ListEngineVersions", - "athena:GetWorkGroup", - "athena:GetDataCatalog", - "athena:GetDatabase", "athena:GetTableMetadata", - "athena:ListDataCatalogs", "athena:ListDatabases", - "athena:ListTableMetadata" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "glue:CreateDatabase", - "glue:DeleteDatabase", - "glue:GetDatabase", + "athena:ListTableMetadata", + "athena:GetQueryExecution", + "athena:StartQueryExecution", + "athena:GetQueryResults", "glue:GetDatabases", - "glue:UpdateDatabase", - "glue:CreateTable", - "glue:DeleteTable", - "glue:BatchDeleteTable", - "glue:UpdateTable", - "glue:GetTable", "glue:GetTables", - "glue:BatchCreatePartition", - "glue:CreatePartition", - "glue:DeletePartition", - "glue:BatchDeletePartition", - "glue:UpdatePartition", - "glue:GetPartition", - "glue:GetPartitions", - "glue:BatchGetPartition" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "s3:GetBucketLocation", - "s3:GetObject", - "s3:ListBucket", - "s3:ListBucketMultipartUploads", - "s3:ListMultipartUploadParts", - "s3:AbortMultipartUpload", - "s3:CreateBucket", - "s3:PutObject", - "s3:PutBucketPublicAccessBlock" - ], - "Resource": [ - "arn:aws:s3:::aws-athena-query-results-*" - ] - }, - { - "Effect": "Allow", - "Action": [ + "glue:GetTable", "lakeformation:GetDataAccess" ], "Resource": [ @@ -151,6 +91,14 @@ And is defined as: } ``` + +{% note %} + +If you have external services other than glue and facing permission issues, add the permissions to the list above. + +{% /note %} + + You can find further information on the Athena connector in the [docs](https://docs.open-metadata.org/connectors/database/athena). ### Python Requirements diff --git a/openmetadata-docs/content/v1.0.x/connectors/database/athena/index.md b/openmetadata-docs/content/v1.0.x/connectors/database/athena/index.md index b035d74dbf94..afd04802c1c0 100644 --- a/openmetadata-docs/content/v1.0.x/connectors/database/athena/index.md +++ b/openmetadata-docs/content/v1.0.x/connectors/database/athena/index.md @@ -82,7 +82,6 @@ This policy groups the following permissions: - `athena` – Allows the principal to run queries on Athena resources. - `glue` – Allows principals access to AWS Glue databases, tables, and partitions. This is required so that the principal can use the AWS Glue Data Catalog with Athena. -- `s3` – Allows the principal to write and read query results from Amazon S3. - `lakeformation` – Allows principals to request temporary credentials to access data in a data lake location that is registered with Lake Formation. And is defined as: @@ -94,74 +93,15 @@ And is defined as: { "Effect": "Allow", "Action": [ - "athena:BatchGetQueryExecution", - "athena:GetQueryExecution", - "athena:GetQueryResults", - "athena:GetQueryResultsStream", - "athena:ListQueryExecutions", - "athena:StartQueryExecution", - "athena:StopQueryExecution", - "athena:ListWorkGroups", - "athena:ListEngineVersions", - "athena:GetWorkGroup", - "athena:GetDataCatalog", - "athena:GetDatabase", "athena:GetTableMetadata", - "athena:ListDataCatalogs", "athena:ListDatabases", - "athena:ListTableMetadata" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "glue:CreateDatabase", - "glue:DeleteDatabase", - "glue:GetDatabase", + "athena:ListTableMetadata", + "athena:GetQueryExecution", + "athena:StartQueryExecution", + "athena:GetQueryResults", "glue:GetDatabases", - "glue:UpdateDatabase", - "glue:CreateTable", - "glue:DeleteTable", - "glue:BatchDeleteTable", - "glue:UpdateTable", - "glue:GetTable", "glue:GetTables", - "glue:BatchCreatePartition", - "glue:CreatePartition", - "glue:DeletePartition", - "glue:BatchDeletePartition", - "glue:UpdatePartition", - "glue:GetPartition", - "glue:GetPartitions", - "glue:BatchGetPartition" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "s3:GetBucketLocation", - "s3:GetObject", - "s3:ListBucket", - "s3:ListBucketMultipartUploads", - "s3:ListMultipartUploadParts", - "s3:AbortMultipartUpload", - "s3:CreateBucket", - "s3:PutObject", - "s3:PutBucketPublicAccessBlock" - ], - "Resource": [ - "arn:aws:s3:::aws-athena-query-results-*" - ] - }, - { - "Effect": "Allow", - "Action": [ + "glue:GetTable", "lakeformation:GetDataAccess" ], "Resource": [ @@ -172,6 +112,14 @@ And is defined as: } ``` + +{% note %} + +If you have external services other than glue and facing permission issues, add the permissions to the list above. + +{% /note %} + + You can find further information on the Athena connector in the [docs](https://docs.open-metadata.org/connectors/database/athena). ## Metadata Ingestion diff --git a/openmetadata-docs/content/v1.1.x/connectors/database/athena/index.md b/openmetadata-docs/content/v1.1.x/connectors/database/athena/index.md index 71bf263d5421..001b988f8bcd 100644 --- a/openmetadata-docs/content/v1.1.x/connectors/database/athena/index.md +++ b/openmetadata-docs/content/v1.1.x/connectors/database/athena/index.md @@ -58,7 +58,6 @@ This policy groups the following permissions: - `athena` – Allows the principal to run queries on Athena resources. - `glue` – Allows principals access to AWS Glue databases, tables, and partitions. This is required so that the principal can use the AWS Glue Data Catalog with Athena. -- `s3` – Allows the principal to write and read query results from Amazon S3. - `lakeformation` – Allows principals to request temporary credentials to access data in a data lake location that is registered with Lake Formation. And is defined as: @@ -70,74 +69,15 @@ And is defined as: { "Effect": "Allow", "Action": [ - "athena:BatchGetQueryExecution", - "athena:GetQueryExecution", - "athena:GetQueryResults", - "athena:GetQueryResultsStream", - "athena:ListQueryExecutions", - "athena:StartQueryExecution", - "athena:StopQueryExecution", - "athena:ListWorkGroups", - "athena:ListEngineVersions", - "athena:GetWorkGroup", - "athena:GetDataCatalog", - "athena:GetDatabase", "athena:GetTableMetadata", - "athena:ListDataCatalogs", "athena:ListDatabases", - "athena:ListTableMetadata" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "glue:CreateDatabase", - "glue:DeleteDatabase", - "glue:GetDatabase", + "athena:ListTableMetadata", + "athena:GetQueryExecution", + "athena:StartQueryExecution", + "athena:GetQueryResults", "glue:GetDatabases", - "glue:UpdateDatabase", - "glue:CreateTable", - "glue:DeleteTable", - "glue:BatchDeleteTable", - "glue:UpdateTable", - "glue:GetTable", "glue:GetTables", - "glue:BatchCreatePartition", - "glue:CreatePartition", - "glue:DeletePartition", - "glue:BatchDeletePartition", - "glue:UpdatePartition", - "glue:GetPartition", - "glue:GetPartitions", - "glue:BatchGetPartition" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "s3:GetBucketLocation", - "s3:GetObject", - "s3:ListBucket", - "s3:ListBucketMultipartUploads", - "s3:ListMultipartUploadParts", - "s3:AbortMultipartUpload", - "s3:CreateBucket", - "s3:PutObject", - "s3:PutBucketPublicAccessBlock" - ], - "Resource": [ - "arn:aws:s3:::aws-athena-query-results-*" - ] - }, - { - "Effect": "Allow", - "Action": [ + "glue:GetTable", "lakeformation:GetDataAccess" ], "Resource": [ @@ -148,6 +88,14 @@ And is defined as: } ``` + +{% note %} + +If you have external services other than glue and facing permission issues, add the permissions to the list above. + +{% /note %} + + You can find further information on the Athena connector in the [docs](https://docs.open-metadata.org/connectors/database/athena). ## Metadata Ingestion diff --git a/openmetadata-docs/content/v1.1.x/connectors/database/athena/yaml.md b/openmetadata-docs/content/v1.1.x/connectors/database/athena/yaml.md index 47d498feb9cd..94cf001da2f9 100644 --- a/openmetadata-docs/content/v1.1.x/connectors/database/athena/yaml.md +++ b/openmetadata-docs/content/v1.1.x/connectors/database/athena/yaml.md @@ -62,7 +62,6 @@ This policy groups the following permissions: - `athena` – Allows the principal to run queries on Athena resources. - `glue` – Allows principals access to AWS Glue databases, tables, and partitions. This is required so that the principal can use the AWS Glue Data Catalog with Athena. -- `s3` – Allows the principal to write and read query results from Amazon S3. - `lakeformation` – Allows principals to request temporary credentials to access data in a data lake location that is registered with Lake Formation. And is defined as: @@ -74,74 +73,15 @@ And is defined as: { "Effect": "Allow", "Action": [ - "athena:BatchGetQueryExecution", - "athena:GetQueryExecution", - "athena:GetQueryResults", - "athena:GetQueryResultsStream", - "athena:ListQueryExecutions", - "athena:StartQueryExecution", - "athena:StopQueryExecution", - "athena:ListWorkGroups", - "athena:ListEngineVersions", - "athena:GetWorkGroup", - "athena:GetDataCatalog", - "athena:GetDatabase", "athena:GetTableMetadata", - "athena:ListDataCatalogs", "athena:ListDatabases", - "athena:ListTableMetadata" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "glue:CreateDatabase", - "glue:DeleteDatabase", - "glue:GetDatabase", + "athena:ListTableMetadata", + "athena:GetQueryExecution", + "athena:StartQueryExecution", + "athena:GetQueryResults", "glue:GetDatabases", - "glue:UpdateDatabase", - "glue:CreateTable", - "glue:DeleteTable", - "glue:BatchDeleteTable", - "glue:UpdateTable", - "glue:GetTable", "glue:GetTables", - "glue:BatchCreatePartition", - "glue:CreatePartition", - "glue:DeletePartition", - "glue:BatchDeletePartition", - "glue:UpdatePartition", - "glue:GetPartition", - "glue:GetPartitions", - "glue:BatchGetPartition" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "s3:GetBucketLocation", - "s3:GetObject", - "s3:ListBucket", - "s3:ListBucketMultipartUploads", - "s3:ListMultipartUploadParts", - "s3:AbortMultipartUpload", - "s3:CreateBucket", - "s3:PutObject", - "s3:PutBucketPublicAccessBlock" - ], - "Resource": [ - "arn:aws:s3:::aws-athena-query-results-*" - ] - }, - { - "Effect": "Allow", - "Action": [ + "glue:GetTable", "lakeformation:GetDataAccess" ], "Resource": [ @@ -152,6 +92,14 @@ And is defined as: } ``` + +{% note %} + +If you have external services other than glue and facing permission issues, add the permissions to the list above. + +{% /note %} + + You can find further information on the Athena connector in the [docs](https://docs.open-metadata.org/connectors/database/athena). ### Python Requirements diff --git a/openmetadata-docs/content/v1.2.x/connectors/database/athena/index.md b/openmetadata-docs/content/v1.2.x/connectors/database/athena/index.md index 3d15639df7d4..412c3d4f3bdf 100644 --- a/openmetadata-docs/content/v1.2.x/connectors/database/athena/index.md +++ b/openmetadata-docs/content/v1.2.x/connectors/database/athena/index.md @@ -58,7 +58,6 @@ This policy groups the following permissions: - `athena` – Allows the principal to run queries on Athena resources. - `glue` – Allows principals access to AWS Glue databases, tables, and partitions. This is required so that the principal can use the AWS Glue Data Catalog with Athena. -- `s3` – Allows the principal to write and read query results from Amazon S3. - `lakeformation` – Allows principals to request temporary credentials to access data in a data lake location that is registered with Lake Formation. And is defined as: @@ -70,74 +69,15 @@ And is defined as: { "Effect": "Allow", "Action": [ - "athena:BatchGetQueryExecution", - "athena:GetQueryExecution", - "athena:GetQueryResults", - "athena:GetQueryResultsStream", - "athena:ListQueryExecutions", - "athena:StartQueryExecution", - "athena:StopQueryExecution", - "athena:ListWorkGroups", - "athena:ListEngineVersions", - "athena:GetWorkGroup", - "athena:GetDataCatalog", - "athena:GetDatabase", "athena:GetTableMetadata", - "athena:ListDataCatalogs", "athena:ListDatabases", - "athena:ListTableMetadata" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "glue:CreateDatabase", - "glue:DeleteDatabase", - "glue:GetDatabase", + "athena:ListTableMetadata", + "athena:GetQueryExecution", + "athena:StartQueryExecution", + "athena:GetQueryResults", "glue:GetDatabases", - "glue:UpdateDatabase", - "glue:CreateTable", - "glue:DeleteTable", - "glue:BatchDeleteTable", - "glue:UpdateTable", - "glue:GetTable", "glue:GetTables", - "glue:BatchCreatePartition", - "glue:CreatePartition", - "glue:DeletePartition", - "glue:BatchDeletePartition", - "glue:UpdatePartition", - "glue:GetPartition", - "glue:GetPartitions", - "glue:BatchGetPartition" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "s3:GetBucketLocation", - "s3:GetObject", - "s3:ListBucket", - "s3:ListBucketMultipartUploads", - "s3:ListMultipartUploadParts", - "s3:AbortMultipartUpload", - "s3:CreateBucket", - "s3:PutObject", - "s3:PutBucketPublicAccessBlock" - ], - "Resource": [ - "arn:aws:s3:::aws-athena-query-results-*" - ] - }, - { - "Effect": "Allow", - "Action": [ + "glue:GetTable", "lakeformation:GetDataAccess" ], "Resource": [ @@ -148,6 +88,14 @@ And is defined as: } ``` + +{% note %} + +If you have external services other than glue and facing permission issues, add the permissions to the list above. + +{% /note %} + + You can find further information on the Athena connector in the [docs](https://docs.open-metadata.org/connectors/database/athena). ## Metadata Ingestion diff --git a/openmetadata-docs/content/v1.2.x/connectors/database/athena/yaml.md b/openmetadata-docs/content/v1.2.x/connectors/database/athena/yaml.md index 392eedec3357..42efa6826a00 100644 --- a/openmetadata-docs/content/v1.2.x/connectors/database/athena/yaml.md +++ b/openmetadata-docs/content/v1.2.x/connectors/database/athena/yaml.md @@ -62,7 +62,6 @@ This policy groups the following permissions: - `athena` – Allows the principal to run queries on Athena resources. - `glue` – Allows principals access to AWS Glue databases, tables, and partitions. This is required so that the principal can use the AWS Glue Data Catalog with Athena. -- `s3` – Allows the principal to write and read query results from Amazon S3. - `lakeformation` – Allows principals to request temporary credentials to access data in a data lake location that is registered with Lake Formation. And is defined as: @@ -74,74 +73,15 @@ And is defined as: { "Effect": "Allow", "Action": [ - "athena:BatchGetQueryExecution", - "athena:GetQueryExecution", - "athena:GetQueryResults", - "athena:GetQueryResultsStream", - "athena:ListQueryExecutions", - "athena:StartQueryExecution", - "athena:StopQueryExecution", - "athena:ListWorkGroups", - "athena:ListEngineVersions", - "athena:GetWorkGroup", - "athena:GetDataCatalog", - "athena:GetDatabase", "athena:GetTableMetadata", - "athena:ListDataCatalogs", "athena:ListDatabases", - "athena:ListTableMetadata" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "glue:CreateDatabase", - "glue:DeleteDatabase", - "glue:GetDatabase", + "athena:ListTableMetadata", + "athena:GetQueryExecution", + "athena:StartQueryExecution", + "athena:GetQueryResults", "glue:GetDatabases", - "glue:UpdateDatabase", - "glue:CreateTable", - "glue:DeleteTable", - "glue:BatchDeleteTable", - "glue:UpdateTable", - "glue:GetTable", "glue:GetTables", - "glue:BatchCreatePartition", - "glue:CreatePartition", - "glue:DeletePartition", - "glue:BatchDeletePartition", - "glue:UpdatePartition", - "glue:GetPartition", - "glue:GetPartitions", - "glue:BatchGetPartition" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "s3:GetBucketLocation", - "s3:GetObject", - "s3:ListBucket", - "s3:ListBucketMultipartUploads", - "s3:ListMultipartUploadParts", - "s3:AbortMultipartUpload", - "s3:CreateBucket", - "s3:PutObject", - "s3:PutBucketPublicAccessBlock" - ], - "Resource": [ - "arn:aws:s3:::aws-athena-query-results-*" - ] - }, - { - "Effect": "Allow", - "Action": [ + "glue:GetTable", "lakeformation:GetDataAccess" ], "Resource": [ @@ -152,6 +92,14 @@ And is defined as: } ``` + +{% note %} + +If you have external services other than glue and facing permission issues, add the permissions to the list above. + +{% /note %} + + You can find further information on the Athena connector in the [docs](https://docs.open-metadata.org/connectors/database/athena). ### Python Requirements diff --git a/openmetadata-ui/src/main/resources/ui/public/locales/en-US/Database/Athena.md b/openmetadata-ui/src/main/resources/ui/public/locales/en-US/Database/Athena.md index b45b41ddb0d6..5eff48696488 100644 --- a/openmetadata-ui/src/main/resources/ui/public/locales/en-US/Database/Athena.md +++ b/openmetadata-ui/src/main/resources/ui/public/locales/en-US/Database/Athena.md @@ -17,7 +17,6 @@ This policy groups the following permissions: - `athena` – Allows the principal to run queries on Athena resources. - `glue` – Allows principals access to AWS Glue databases, tables, and partitions. This is required so that the principal can use the AWS Glue Data Catalog with Athena. -- `s3` – Allows the principal to write and read query results from Amazon S3. - `lakeformation` – Allows principals to request temporary credentials to access data in a data lake location that is registered with Lake Formation. And is defined as: @@ -29,74 +28,15 @@ And is defined as: { "Effect": "Allow", "Action": [ - "athena:BatchGetQueryExecution", - "athena:GetQueryExecution", - "athena:GetQueryResults", - "athena:GetQueryResultsStream", - "athena:ListQueryExecutions", - "athena:StartQueryExecution", - "athena:StopQueryExecution", - "athena:ListWorkGroups", - "athena:ListEngineVersions", - "athena:GetWorkGroup", - "athena:GetDataCatalog", - "athena:GetDatabase", "athena:GetTableMetadata", - "athena:ListDataCatalogs", "athena:ListDatabases", - "athena:ListTableMetadata" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "glue:CreateDatabase", - "glue:DeleteDatabase", - "glue:GetDatabase", + "athena:ListTableMetadata", + "athena:GetQueryExecution", + "athena:StartQueryExecution", + "athena:GetQueryResults", "glue:GetDatabases", - "glue:UpdateDatabase", - "glue:CreateTable", - "glue:DeleteTable", - "glue:BatchDeleteTable", - "glue:UpdateTable", - "glue:GetTable", "glue:GetTables", - "glue:BatchCreatePartition", - "glue:CreatePartition", - "glue:DeletePartition", - "glue:BatchDeletePartition", - "glue:UpdatePartition", - "glue:GetPartition", - "glue:GetPartitions", - "glue:BatchGetPartition" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "s3:GetBucketLocation", - "s3:GetObject", - "s3:ListBucket", - "s3:ListBucketMultipartUploads", - "s3:ListMultipartUploadParts", - "s3:AbortMultipartUpload", - "s3:CreateBucket", - "s3:PutObject", - "s3:PutBucketPublicAccessBlock" - ], - "Resource": [ - "arn:aws:s3:::aws-athena-query-results-*" - ] - }, - { - "Effect": "Allow", - "Action": [ + "glue:GetTable", "lakeformation:GetDataAccess" ], "Resource": [ @@ -107,6 +47,14 @@ And is defined as: } ``` + +{% note %} + +If you have external services other than glue and facing permission issues, add the permissions to the list above. + +{% /note %} + + You can find further information on the Athena connector in the [docs](https://docs.open-metadata.org/connectors/database/athena). ## Connection Details