Skip to main content

Athena connection

  • S3 Output Bucket Location - The Amazon S3 bucket where query results should be stored. The location should start with s3://. For example, to store results in a folder named "test-folder-1" inside an S3 bucket named "query-results-bucket", you would set the location to s3://query-results-bucket/test-folder-1

  • Workgroup - If your Athena instance is configured with different workspaces you can assign your connection to a workspace here

  • AWS ARN - A dedicated Identity Access Management (IAM) role created specifically for This role must be created before you can configure a connection to Athena. See Create a dedicated IAM role for Athena connections for more information.

  • AWS external id - provided in the "Add a new Athena connection" dialog


Before configuring a connection to Athena you need to have set up an IAM role in the AWS console.


Create a dedicated IAM role for Athena connections

To configure a virtual connection to Athena you will need to create a dedicated IAM role in your Amazon Web Services (AWS) console and enter the AWS Amazon Resource Name (ARN) for it in the Add a new connection dialog. To create the role, however, you will need to first get the AWS External ID from the bottom of the connection dialog. Follow the steps below to create the AWS role and the connection to Athena.

  1. Open the configuration screen as described above,

  2. Copy the External ID and do not close the dialog.


    You have to leave the Add a new connection dialog open while you connect to the AWS console and create the role needed for the connection because every time you open the dialog to create a new connection, a new external ID is generated.

  3. Go to the AWS console and select Create role.

  4. Use the following parameters for the role:

    • Select type of trusted entity - Another AWS account

    • Account ID - 465428570792

    • Require external ID - checked

    • External ID - The value copied from the Add new connection dialog in

  5. Select Next: Permissions:

  6. Use the search bar to find the following two policies and add them:

    • AmazonAthenaFullAccess

    • AmazonS3FullAccess


    You may choose to be more fine grained in precisely which buckets you allow to access. We will only need write access on the S3 output bucket location configured earlier. Otherwise, the minimum permissions required to query data from table backing buckets is required.

  7. Add any tags you would like.

  8. Select Next: Review

  9. Name the role, write a description, verify that the two policies shown above are present, and select Create role.

  10. Find the role you have just created:

  11. Copy its ARN, and paste the ARN into the dialog window you left open for adding a new Athena connection.