Athena Permissions

Qualytics connects to Athena using the AWS Athena JDBC driver (v3), which calls the Athena, Glue, and S3 APIs on your behalf using the credentials supplied in the connection form. The IAM identity (user or assumed role) behind the connection must have the permissions listed below.

Which identity actually carries those permissions depends on the authentication mode:

Authentication mode	Identity that carries the Athena / Glue / S3 permissions
Access Key	The IAM user behind the Access Key ID and Secret Access Key
IAM Role	The target role (the role ARN entered in the connection form). The base role (dataplane identity) only needs `sts:AssumeRole` against that target role — see IAM Role Authentication. Available on AWS and local deployments only.

Minimum Athena Permissions

Permission	Purpose
`athena:StartQueryExecution`	Submit queries
`athena:StopQueryExecution`	Cancel running queries
`athena:GetQueryExecution`	Poll query status
`athena:GetQueryResults`	Fetch result rows
`athena:ListDatabases`	Discover schemas
`athena:ListTableMetadata`	Discover tables and columns
`athena:GetTableMetadata`	Read column definitions
`athena:GetWorkGroup`	Validate the workgroup configuration

Minimum Glue Permissions (Read-Only)

Athena delegates all catalog and schema metadata to AWS Glue. Only read permissions are needed — Qualytics never creates, modifies, or deletes catalog objects.

Permission	Purpose
`glue:GetDatabase` / `glue:GetDatabases`	Read database metadata
`glue:GetCatalog` / `glue:GetCatalogs`	Read catalog metadata
`glue:GetTable` / `glue:GetTables`	Read table and column definitions
`glue:GetPartition` / `glue:GetPartitions` / `glue:BatchGetPartition`	Read partition metadata for query planning

Minimum S3 Permissions (Query Result Output Location)

When you create an Athena connection, the S3 Output Location field tells Athena where to write the results of every query it runs. This bucket is required by Athena itself — it has nothing to do with the Amazon S3 datastore connector. The IAM identity behind your Athena connection needs read and write access to the bucket and prefix you enter (the prefix is optional). The bucket must already exist — Qualytics does not create buckets.

Permission	Resource	Purpose
`s3:PutObject`	`arn:aws:s3:::<bucket>/<prefix>/*`	Write query result files
`s3:GetObject`	`arn:aws:s3:::<bucket>/<prefix>/*`	Read result files back
`s3:ListBucket`	`arn:aws:s3:::<bucket>`	List result files
`s3:GetBucketLocation`	`arn:aws:s3:::<bucket>`	Validate bucket region
`s3:ListBucketMultipartUploads`	`arn:aws:s3:::<bucket>`	Track in-progress multipart uploads when result sets are large
`s3:ListMultipartUploadParts`	`arn:aws:s3:::<bucket>/<prefix>/*`	List parts of an in-progress upload
`s3:AbortMultipartUpload`	`arn:aws:s3:::<bucket>/<prefix>/*`	Clean up incomplete multipart uploads

Encrypted buckets and CMK-protected catalogs

If the S3 query-results bucket uses SSE-KMS, the IAM identity also needs kms:Decrypt and kms:GenerateDataKey on the customer-managed key (CMK) — both for writing results and for reading them back. The same applies if the source-data buckets that back your Athena tables use SSE-KMS, or if Glue catalog metadata is encrypted with a CMK. Without these permissions, queries fail with KMS.AccessDeniedException even when every Athena, Glue, and S3 action above is granted.

Lake Formation–Governed Catalogs

If your Glue catalog is governed by AWS Lake Formation, the IAM permissions above are not enough on their own — Lake Formation enforces an additional authorization layer on top of IAM, and both layers must allow the call.

Requirement	Where to grant it
`lakeformation:GetDataAccess` on `"*"`	The IAM policy attached to the identity (added to the Example IAM Policy below)
`SELECT` on each database and table you want Qualytics to read	Lake Formation, via the LF console or `aws lakeformation grant-permissions`
`DESCRIBE` on the database	Lake Formation, so the database appears in the Database dropdown when adding the source datastore

If column-level filtering or row-level filters are configured in Lake Formation, Qualytics sees only the columns and rows the IAM identity is granted access to — checks defined on filtered columns will not discover any data, and profile statistics will reflect the filtered subset rather than the full table.

Example IAM Policy

Replace <YOUR_BUCKET> and <YOUR_PREFIX> with the bucket name and path prefix configured in the S3 Output Location field.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AthenaQueryAccess",
      "Effect": "Allow",
      "Action": [
        "athena:StartQueryExecution",
        "athena:StopQueryExecution",
        "athena:GetQueryExecution",
        "athena:GetQueryResults",
        "athena:ListDatabases",
        "athena:ListTableMetadata",
        "athena:GetTableMetadata",
        "athena:GetWorkGroup"
      ],
      "Resource": "*"
    },
    {
      "Sid": "GlueCatalogReadOnly",
      "Effect": "Allow",
      "Action": [
        "glue:GetDatabase",
        "glue:GetDatabases",
        "glue:GetCatalog",
        "glue:GetCatalogs",
        "glue:GetTable",
        "glue:GetTables",
        "glue:GetPartition",
        "glue:GetPartitions",
        "glue:BatchGetPartition"
      ],
      "Resource": "*"
    },
    {
      "Sid": "S3QueryResultsBucket",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:ListBucketMultipartUploads",
        "s3:ListMultipartUploadParts",
        "s3:AbortMultipartUpload"
      ],
      "Resource": [
        "arn:aws:s3:::<YOUR_BUCKET>",
        "arn:aws:s3:::<YOUR_BUCKET>/<YOUR_PREFIX>/*"
      ]
    }
  ]
}

Tip

Qualytics does not pass a workgroup parameter to Athena, so queries run under the default workgroup of your AWS account (usually primary). For tighter least-privilege access, scope the Athena actions to that workgroup ARN — for example, arn:aws:athena:<region>:<account-id>:workgroup/primary — instead of "*".