Athena fine grained access control

When attempting to set up multiple Athena connections for users with user specific data I’d like to be able to configure access to specific Athena databases. Athena access control is documented here.
https://docs.aws.amazon.com/athena/latest/ug/fine-grained-access-to-glue-resources.html#examples-fine-grained-table-database-policies

However IAM doesn’t allow this configuration and shows an error.

The actions in your policy do not support resource-level permissions and require you to choose All resources

Anyone have a solution for defining Athena access by database or table?

Can you share the policy you use?

Although unless this is something Redash does wrong when using the IAM policy (definitely possible), it seems like a general Athena/IAM issue and you might have better luck by asking in the AWS forums.

I started with the AWSAthenaQuicksightAccess policy and paired it down (see below). I may be overly cautious but some account details are redacted.

If the Glue resources is changed to wildcard ( ‘*’ ) it works but all databases and tables are shown. I want to limit to specific resources. Is Redash attempting to get all databases?

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "athena:BatchGetQueryExecution",
            "athena:CancelQueryExecution",
            "athena:GetCatalogs",
            "athena:GetExecutionEngine",
            "athena:GetExecutionEngines",
            "athena:GetNamespace",
            "athena:GetNamespaces",
            "athena:GetQueryExecution",
            "athena:GetQueryExecutions",
            "athena:GetQueryResults",
            "athena:GetQueryResultsStream",
            "athena:GetTable",
            "athena:GetTables",
            "athena:ListQueryExecutions",
            "athena:RunQuery",
            "athena:StartQueryExecution",
            "athena:StopQueryExecution",
            "athena:ListWorkGroups",
            "athena:GetWorkGroup"
        ],
        "Resource": [
            "*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "glue:GetDatabase",
            "glue:GetDatabases",
            "glue:GetTable",
            "glue:GetTables",
            "glue:GetPartition"
        ],
        "Resource": [
            "arn:aws:glue:us-east-1:redacted:catalog",
            "arn:aws:glue:us-east-1:redacted:database/*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:GetBucketLocation",
            "s3:GetObject",
            "s3:ListBucket",
            "s3:ListBucketMultipartUploads",
            "s3:ListMultipartUploadParts",
            "s3:AbortMultipartUpload",
            "s3:CreateBucket",
            "s3:PutObject"
        ],
        "Resource": [
            "arn:aws:s3:::redacted-query-results-*"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "lakeformation:GetDataAccess"
        ],
        "Resource": [
            "*"
        ]
    }
]

}

I’ve made progress, i can’t say I am all the way through but adding a table resource is giving me what I want initially.

"arn:aws:glue:us-east-1:redacted-account-number:table/default/*",
1 Like