Skip to main content

Linking Athena as a Source

This guide walks through connecting an Amazon Athena database to Actioneer. The setup uses a dedicated IAM user with scoped permissions across Athena, AWS Glue, and S3.
  
  Prerequisites  AWS account with Athena configured, a Glue catalog database, Actioneer account
  Access granted  Query execution on specified Athena database via Glue catalog
  Estimated time  ~15–20 minutes
Actioneer cannot create, modify, or delete any tables, databases, or catalog objects in your Athena or Glue environment. Athena writes temporary query result files to the configured S3 output location as part of normal query execution — this is standard AWS behavior, not an Actioneer-specific write path.
1

Note your Athena database details

Five values are needed from the AWS Console.
  1. Sign in at console.aws.amazon.com and open the Amazon Athena service.
  2. In the Athena query editor, check the Database dropdown in the left panel. Note the name of the database Actioneer should query (this maps to a Glue catalog database).
  3. Note the AWS Region your Athena database is set up in (e.g., us-east-1). This is visible in the top-right corner of the console.
  4. Check your Workgroup under Settings. If you have not created a custom workgroup, the default is primary.
  5. Note the S3 Output Location for query results. This is under Settings → Query result location (e.g., s3://my-bucket/results/). Not needed if your workgroup has managed query results enabled.
  Value  Location  Example
  Database  Athena query editor, database dropdown  analytics_db
  AWS Region  Console top-right corner  us-east-1
  Workgroup  Athena Settings  primary
  S3 Output Location  Settings → Query result location  s3://my-bucket/results/
  Data Catalog  Defaults to AwsDataCatalog  AwsDataCatalog
The Data Catalog defaults to AwsDataCatalog (AWS Glue). Only change this if you are using federated query sources.
2

Create a dedicated IAM user with Athena permissions

A dedicated IAM user keeps Actioneer’s credentials separate from personal accounts. The user needs permissions across three services: Athena, Glue, and S3.
  1. In the AWS Console, open IAMPoliciesCreate policy.
  2. Click the JSON tab and paste the following. Replace YOUR-BUCKET-NAME with the S3 bucket that holds your source data, and YOUR-RESULTS-BUCKET with the bucket from the S3 Output Location you noted in Step 1 (e.g., my-bucket from s3://my-bucket/results/). These may be the same bucket or different buckets depending on your setup.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "athena:StartQueryExecution",
        "athena:GetQueryExecution",
        "athena:GetQueryResults",
        "athena:GetWorkGroup"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "glue:GetDatabase",
        "glue:GetDatabases",
        "glue:GetTable",
        "glue:GetTables",
        "glue:GetPartitions"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::YOUR-BUCKET-NAME",
        "arn:aws:s3:::YOUR-BUCKET-NAME/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::YOUR-RESULTS-BUCKET",
        "arn:aws:s3:::YOUR-RESULTS-BUCKET/*"
      ]
    }
  ]
}
  1. Click Next, name the policy ActioneerAthenaReadOnly, and click Create policy.
  2. Go to IAM → Users → Create user. Name it actioneer-athena. Leave console access unchecked.
  3. Click Next, select Attach policies directly, search for ActioneerAthenaReadOnly, select it, and click Create user.
  4. Click the new user’s name → Security credentials tab → Create access key.
  5. Select Application running outside AWS, click Next, then Create access key.
  6. Copy both the Access Key ID and the Secret Access Key.
  Value  Location  Example
  Access Key ID  IAM → Security credentials  AKIAIOSFODNN7EXAMPLE
  Secret Access Key  IAM → Security credentials — shown once  wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
AWS displays the Secret Access Key exactly once. If you close the page without copying it, you will need to delete the key and create a new one. Store both values in a password manager.
The custom policy above follows the principle of least privilege. It grants Actioneer only the specific Athena, Glue, and S3 permissions needed to execute queries and read catalog metadata — nothing more. AWS recommends this approach for all environments, including sandbox and testing accounts.
3

Connect Amazon Athena in Actioneer

  1. In Actioneer, click Data in the left sidebar.
  2. Select Amazon Athena from the list of data sources.
  3. When prompted, select Direct Connection.
  4. Complete the connection form:
  Field  Value
  Connection Name  A descriptive label, e.g. Production Athena
  Access Key ID  From Step 2 (starts with AKIA)
  Secret Access Key  From Step 2
  AWS Region  From Step 1 (e.g., us-east-1)
  Database  From Step 1 (e.g., analytics_db)
  S3 Output Location  From Step 1 (e.g., s3://my-bucket/results/) — leave blank if your workgroup manages results
  Workgroup  From Step 1 — defaults to primary
  Data Catalog  Defaults to AwsDataCatalog — only change for federated sources
  1. Click Connect.

Common questions

Actioneer cannot create, alter, or drop any tables, databases, or catalog objects. The IAM policy scopes access to query execution and catalog reads. Note that Athena writes temporary query result files to the S3 output location as part of standard query execution — this is inherent to how Athena works and is not a data modification path. The s3:PutObject permission in the IAM policy exists solely for this purpose.
If your Athena workgroup has managed query results enabled, you can leave the S3 Output Location field blank in Actioneer. The workgroup handles result storage automatically.
All credentials are encrypted at rest with AES-256 and encrypted in transit with TLS 1.3. They are never stored in plain text or logged. Actioneer is SOC 2 Type II certified, ISO 27001 certified (audited by Schellman), and GDPR compliant.

Need a hand?

Stuck on a step or running into an error? Reach out at connect@actioneer.com.