# AWS IAM Permissions Setup for Athena, Glue, and KMS (Vault Integration) #### 1) Purpose Provide **required permissions** for a user/role to run queries in **Amazon Athena**, manage required **AWS Glue Data Catalog** objects (DB/Table), and use **KMS** where S3 buckets are encrypted with SSE-KMS. *** ### 2) Scope This applies to: * AWS Account: **\** * IAM Entity to grant access: * **IAM Role** * IAM User *** ### 3) Prerequisites (Must Confirm/Collect) Before applying policy, confirm these values (replace placeholders later): * **Athena WorkGroup name(s)** (example: `primary` or `vault-athena-wg`) * **Athena query results S3 bucket & prefix** * Example: `s3:///athena/results/` * **S3 data bucket(s)** Athena queries will read from * Example: `s3:///path/` * If using SSE-KMS: * **KMS key ARN(s)** used by those buckets > Note: Athena always needs access to **S3 query results location** usually needs **S3 read** access. *** ### 4) IAM Policy (Corrected JSON) #### 4.1 Minimal functional policy for Athena + Glue + KMS (+ S3) Use the following as the baseline. Replace placeholders where needed. `{ "Version": "2012-10-17", "Statement": [ { "Sid": "Athena", "Effect": "Allow", "Action": [ "athena:StartQueryExecution", "athena:GetQueryExecution", "athena:GetQueryResults", "athena:StopQueryExecution", "athena:GetWorkGroup" ], "Resource": [ "arn:aws:athena:::workgroup/primary", "arn:aws:athena:::workgroup/primary", "arn:aws:athena:::workgroup/primary" ] }, { "Sid": "Glue", "Effect": "Allow", "Action": [ "glue:GetDatabase", "glue:GetDatabases", "glue:GetTable", "glue:GetTables", "glue:GetPartition", "glue:GetPartitions", "glue:CreateTable", "glue:UpdateTable", "glue:CreateDatabase", "glue:DeleteTable" ], "Resource": [ "arn:aws:glue:::catalog", "arn:aws:glue:::database/vault_db", "arn:aws:glue:::table/vault_db/*", "arn:aws:glue:::catalog", "arn:aws:glue:::database/vault_db", "arn:aws:glue:::table/vault_db/*" ] } ] }` {% hint style="info" %} Note: The regions list should get form instance database and specify each region in this police {% endhint %} #### 4.2 S3 Delete Permissions – AdvancedSearch {% hint style="info" %} **Note:**\ This policy grants permission to delete objects and object versions only within the `AdvancedSearch` path of the specified S3 bucket. {% endhint %} { "Version": "2012-10-17", "Statement": \[ { "Effect": "Allow", "Action": \[ "s3:DeleteObject", "s3:DeleteObjectVersion" ], "Resource": "arn:aws:s3:::\/AdvancedSearch/\*" } ] } --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://knowledgebase.autorabit.com/product-guides/vault/vault-faqs/common-restore-errors-and-solutions/aws-iam-permissions-setup-for-athena-glue-and-kms-vault-integration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.