Amazon Athena

The first thing youā€™ll need to do is create an IAM user that will have permissions to run queries with Amazon Athena and access the S3 buckets that contain your data.

Create IAM Policy

The policy should allow access to your S3 bucket

  1. Sign in to the IAM console atĀ https://console.aws.amazon.com/iam/.
  2. In the navigation pane, choose Policies, and then Create Policy.

In the policy body, you can use a policy similar to:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::Your_Bucket_Name/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-bucket"
]
}
]
}

Donā€™t forget to changeĀ Your_Bucket_NameĀ to your bucket name. You can list several buckets, but please note that we have separate permissions for the bucket (Ā arn:aws:s3:::my-bucket) and the objects (arn:aws:s3:::my-bucket/*).

Create IAM User

  • Sign in to the IAM console atĀ https://console.aws.amazon.com/iam/.
  • In the navigation pane, choose Users, and then Add User.
  • Enter the desired User Name.
  • Check the checkbox next to Programmatic Access and then click Next.

  • In the Permissions step, select Attach existing policies directly and attach the AWSQuicksightAthenaAccess policy along with the one to access S3 buckets you created previously.

  • Click Next, then review all the details and Create User.
  • Take note of the Access Key ID and Secret Access Key.

Create Athena Data Source

In Cast, in the New Data Source page select ā€œAthenaā€ as the data source type and fill out the details using the information from the previous step:

  • AWS Access KeyĀ andĀ AWS Secret KeyĀ are the ones from the previous step.
  • AWS RegionĀ is the region where you use Amazon Athena.
  • S3 Staging PathĀ is the bucket Amazon Athena uses for staging/query results, you might have created it already if you used Amazon Athena from AWS console - simply copy the same path.

If you have trouble refreshing the Athena data source schema, check whether youā€™re using AWS Glue. If so you should toggle Use Glue Data Catalog under the Additional Settings menu.

Troubleshooting

AWSQuicksightAthenaAccess

When using Athena you need the following S3 permissions:

  • Read permissions for the buckets you query from.
  • Write permissions for the Query Results bucket.

The latter is supposed to be covered by theĀ AWSQuicksightAthenaAccessĀ policy, but it defines this only for the following buckets:Ā arn:aws:s3:::aws-athena-query-results-*Ā .

If you use a different bucket location, you need to specify it in your custom policy. The required permissions for the query results bucket are:

"s3:GetBucketLocation",
            "s3:GetObject",
            "s3:ListBucket",
            "s3:ListBucketMultipartUploads",
            "s3:ListMultipartUploadParts",
            "s3:AbortMultipartUpload",
            "s3:CreateBucket",
            "s3:PutObject"