DatalakeをAthenaから利用するためのIAM policy
from Amazon Athena
DatalakeをAthenaから利用するためのIAM policy
https://gyazo.com/062a36c066931b7033d37372269f0345
参考)ワークグループのポリシーの例 - Amazon Athena
code:SQLの実行権.json
{
"Effect": "Allow",
"Action": [
"athena:StartQueryExecution",
"athena:GetQueryResults",
"athena:DeleteNamedQuery",
"athena:GetNamedQuery",
"athena:ListQueryExecutions",
"athena:StopQueryExecution",
"athena:GetQueryResultsStream",
"athena:ListNamedQueries",
"athena:CreateNamedQuery",
"athena:GetQueryExecution",
"athena:BatchGetNamedQuery",
"athena:BatchGetQueryExecution"
],
"Resource": [
"arn:aws:athena:us-east-1:123456789012:workgroup/workgroupA"
]
}
参考)AmazonAthenaFullAccess 管理ポリシー - Amazon Athena
code:DataCatalogへのAccess権.json
{
"Effect": "Allow",
"Action": [
"lakeformation:GetDataAccess",
"lakeformation:GetMetadataAccess",
"glue:GetUnfiltered*",
"glue:GetTable",
"glue:GetTables",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetUserDefinedFunction",
"glue:GetUserDefinedFunctions",
"glue:SearchTables"
],
"Resource": [
"*"
]
}
code:SQL元dataへのaccess権.json
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": [
"*"
]
}
code:Output保存先へのACCESS権.json
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::aws-athena-query-results-*"
]
}