All Collections
Data Destinations
Data Lakes
How To Setup Amazon Athena - Configuring Your AWS Account S3 and IAM
How To Setup Amazon Athena - Configuring Your AWS Account S3 and IAM
Openbridge Support avatar
Written by Openbridge Support
Updated over a week ago

>> UPDATE: We have released a CloudFormation (CF) template that automates setting up Amazon S3 and IAM. We suggest starting with CF vs the manual steps below.<<

Amazon Athena is a serverless platform, so there is no infrastructure to manage. You don’t need to worry about configuration, software updates, failures, or scaling your infrastructure as your datasets and number of users grow.

 There are two major steps to getting your Amazon account set up for Athena. 

  • Second Step: Create an IAM policy that allows Openbridge to access S3 and Athena

Step 1: Create an Amazon S3 Bucket

First, log into Amazon:  https://console.aws.amazon.com/

Note: If you already have a bucket you want to use, skip to Step 2: Setting up IAM Policy

  1. Name and region: Create an S3 Bucket with a name like “mycompany001-openbridge-athena”. This can be anything you want but please be aware that the bucket name should be a unique name.  When you are ready the click next...

2. Set properties: No additional properties or permissions are required from us If you want to set them for your own purposes, please feel free to do so. When you are ready the click next...

3. Set permissions: No additional properties or permissions required at this step. When you are ready the click next...

4. Review: Take a look at the setup and if all looks well you can select “Create bucket”.

All set! 

Next, we need to attach an IAM policy to the bucket which will grant Openbridge permissions to read and write to it.

Step 2: Setup Amazon Athena IAM Policy

If you are not already signed into AWS please do so. Sign in to the IAM console:  https://console.aws.amazon.com/iam/

1. Create an IAM User

Create an IAM User with username openbridge-athena. Next, select the access type of “Programmatic access”. Once complete, click "Next..."

We will skip setting permissions in Step 2 for now. Permissions will come a little later. For now, we want to get the user-configured:

Skip “3. Tags” unless you want them

Review your setup. You can ignore the permissions warning. We will add those next. 

Congratulations, you have a new Athena user setup! 

Make sure to download the credentials .csv file. Also, keep this file in a safe place. The CSV contains your AWS Secret and AWS Key for the user you just created. You will need this later.

Setup IAM Access Policy

Next, you need to create an access policy that links the User and S3 Bucket together. This gives Openbridge access is needs for Athena:

You should still be in IAM.  Go to IAM > Users: https://console.aws.amazon.com/iam/home#/users

Find the openbridge-amazon-athena user you created and click to “Add inline policy”. 

You will want to select the JSON editor. 

Use this policy template, replacing your yourbucketname  with the bucket name you created in Step 1. This is what it looks like in the editor. Note the areas where you need to add your bucket name!

IMPORTANT:  If you do not change  yourbucketname in the template policy setup will not work. Below is a sample policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::yourbucketname/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:CreateBucket",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::yourbucketname"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "athena:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "glue:CreateDatabase",
                "glue:DeleteDatabase",
                "glue:GetDatabase",
                "glue:GetDatabases",
                "glue:UpdateDatabase",
                "glue:CreateTable",
                "glue:DeleteTable",
                "glue:BatchDeleteTable",
                "glue:UpdateTable",
                "glue:GetTable",
                "glue:GetTables",
                "glue:BatchCreatePartition",
                "glue:CreatePartition",
                "glue:DeletePartition",
                "glue:BatchDeletePartition",
                "glue:UpdatePartition",
                "glue:GetPartition",
                "glue:GetPartitions",
                "glue:BatchGetPartition"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}


Save the policy in JSON editor and continue.

Name this policy as "openbridge-athena-policy"

Save your changes. That is it! You have configured Amazon to allow Openbridge to manage Amazon Athena on your behalf.

Did this answer your question?