I have several namespaces and each namespace has their own Athena datasource. So each of these namespaces has there own datasets. I need to ensure that the datasets(for a particular namespace) physical table datasource arn has the matching or only works for the Athena schema? It seems not secure coz when defining an Athena datasource, it does not specify parameter for a schema. So in the dataset, you can specify the datasource arn and the schema could be from another namespace.
How can I secure an Athena datasource only applies for a particular Schema specified in the dataset?
Hi @alltej,
Thank you for your question, this raises a solid security question; I came across the documentation below that could be helpful in your scenario. I’m wondering if this could be handled by a combination of AIM and Lake Formation permissions and Glue. Let me know if this process could help in your case or if you have any additional questions!
Use Amazon Athena and Amazon QuickSight in a cross-account environment | AWS Big Data Blog?
Hi @Brett ,
Thanks for the reply. I read the blog and I don’t think this will resolve the security issue I mentioned. Also it’s a bit complicated implementation unlike if I have a relational datasource which is straightforward in which a schema has one-to-one mapping to a quicksight datasource and the datasource also has one-to-one mapping to the credentials. I think Athena as a datasource should behave the same.
I was looking for something like when I create a quicksight Athena datasource, I can specify the schema just like when I have a relational DB/datasource.
@Brett , i think the solution from the blog will result to creating multiple service roles which 1 service role per quicksight namespace or maybe one IAM policy per namespace, is that correct?
Hi @alltej,
As you are probably already aware, querying Athena natively in Quick Suite is currently not possible. However, I think you should still look into IAM through this article regarding Athena IAM privileges, as using IAM permissions should help you achieve the same outcome without having to query the schema.
Let me know if this helps!
Hi @alltej,
Just checking back in since we haven’t heard from you in a bit. I wanted to see if the guidance shared earlier helped resolve your question, or if you found a solution in the meantime.
If you still have any additional questions related to your initial post, feel free to share them. Otherwise, any update you’re able to provide within the next 3 business days would be helpful for the community.
Thank you
Hi @alltej,
Since I haven’t received any further updates from you, I’ll treat this inquiry as complete for now. If you have any additional questions, feel free to create a new post in the community and link this discussion for context.
Thank you