>> UPDATE: We have released a CloudFormation (CF) template that automates setting up Amazon S3 and IAM. We suggest starting with CF vs the manual steps below.<<
Amazon Athena is a serverless platform, so there is no infrastructure to manage. You don’t need to worry about configuration, software updates, failures, or scaling your infrastructure as your datasets and number of users grow.
There are two major steps to getting your Amazon account set up for Athena.
First Step: Create an S3 bucket to be used for Openbridge and Amazon Athena. This bucket holds your final processed data that was sourced from third-party integrations, our batch API, or streaming events API
Second Step: Create an IAM policy that allows Openbridge to access S3 and Athena
Step 1: Create an Amazon S3 Bucket
First, log into Amazon: https://console.aws.amazon.com/
Note: If you already have a bucket you want to use, skip to Step 2: Setting up IAM Policy
Name and region: Create an S3 Bucket with a name like “mycompany001-openbridge-athena”. This can be anything you want but please be aware that the bucket name should be a unique name. When you are ready the click next...
2. Set properties: No additional properties or permissions are required from us If you want to set them for your own purposes, please feel free to do so. When you are ready the click next...
3. Set permissions: No additional properties or permissions required at this step. When you are ready the click next...
4. Review: Take a look at the setup and if all looks well you can select “Create bucket”.
All set!
Next, we need to attach an IAM policy to the bucket which will grant Openbridge permissions to read and write to it.
Step 2: Setup Amazon Athena IAM Policy
If you are not already signed into AWS please do so. Sign in to the IAM console: https://console.aws.amazon.com/iam/
1. Create an IAM User
Create an IAM User with username openbridge-athena
. Next, select the access type of “Programmatic access”. Once complete, click "Next..."
We will skip setting permissions in Step 2 for now. Permissions will come a little later. For now, we want to get the user-configured:
Skip “3. Tags” unless you want them
Review your setup. You can ignore the permissions warning. We will add those next.
Congratulations, you have a new Athena user setup!
Make sure to download the credentials .csv file. Also, keep this file in a safe place. The CSV contains your AWS Secret and AWS Key for the user you just created. You will need this later.
Setup IAM Access Policy
Next, you need to create an access policy that links the User and S3 Bucket together. This gives Openbridge access is needs for Athena:
You should still be in IAM. Go to IAM > Users: https://console.aws.amazon.com/iam/home#/users
Find the openbridge-amazon-athena user you created and click to “Add inline policy”.
You will want to select the JSON editor.
Use this policy template, replacing your yourbucketname
with the bucket name you created in Step 1. This is what it looks like in the editor. Note the areas where you need to add your bucket name!
IMPORTANT: If you do not change yourbucketname
in the template policy setup will not work. Below is a sample policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::yourbucketname/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:CreateBucket",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::yourbucketname"
]
},
{
"Effect": "Allow",
"Action": [
"athena:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"glue:CreateDatabase",
"glue:DeleteDatabase",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:UpdateDatabase",
"glue:CreateTable",
"glue:DeleteTable",
"glue:BatchDeleteTable",
"glue:UpdateTable",
"glue:GetTable",
"glue:GetTables",
"glue:BatchCreatePartition",
"glue:CreatePartition",
"glue:DeletePartition",
"glue:BatchDeletePartition",
"glue:UpdatePartition",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchGetPartition"
],
"Resource": [
"*"
]
}
]
}
Save the policy in JSON editor and continue.
Name this policy as "openbridge-athena-policy".
Save your changes. That is it! You have configured Amazon to allow Openbridge to manage Amazon Athena on your behalf.