IAM permissions

Athena IAM permissions

Athena permissions that are required to run queries:

"athena:StartQueryExecution",
"athena:GetQueryResults",
"athena:GetWorkGroup",
"athena:StopQueryExecution",
"athena:GetQueryExecution",

Glue IAM permissions

dbt-athena uses the AWS Glue API to fetch metadata. You will need to set these permissions on the Glue databases you are reading from:

"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables",
"glue:GetTableVersions",
"glue:GetPartition",
"glue:GetPartitions",

You will need these permissions on the glue databases you are writing to:

"glue:CreateDatabase",  -- Indeed, in case the Athena database does not exist, DBT will try to create it for you.
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetTable",
"glue:GetTables",
"glue:GetPartition",
"glue:GetPartitions",
"glue:BatchCreatePartition",
"glue:BatchUpdatePartition",
"glue:BatchDeletePartition",
"glue:BatchDeleteTable",
"glue:BatchDeleteTableVersion",
"glue:CreatePartition",
"glue:UpdatePartition",
"glue:DeletePartition",
"glue:CreateTable",
"glue:UpdateTable",
"glue:DeleteTable",
"glue:DeleteTableVersion",

S3 IAM permissions

You will need these permissions on the S3 buckets that dbt-athena reads from:

"s3:GetObject",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",

You will need these permissions on the S3 buckets you are writing to (buckets defined in s3_staging_dir and s3_data_dir):

"s3:GetObject",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:PutObject",
"s3:DeleteObject",

If your buckets are encrypted using KMS, you will need these permissions on every KMS key of the buckets:

"kms:GenerateDataKey*",
"kms:DescribeKey",
"kms:Decrypt",

Lake Formation

If you are using databases managed by AWS Lake Formation, then you need to set these permissions on the role.:

"lakeformation:GetDataAccess",