# AWS Athena

To integrate Amazon Athena with Dot securely and efficiently, follow these steps to establish a connection, configure IAM permissions, and restrict access to specific Athena workgroups.

**1. Create a Dedicated IAM User for Dot**

For enhanced security, it's advisable to create a dedicated IAM user for Dot with permissions limited to the necessary Athena resources.

* **Create the IAM User**:
  * Sign in to the AWS Management Console.
  * Navigate to the IAM service.
  * Select "Users" and then "Add user".
  * Enter a username (e.g., `dot_athena_user`).
  * Choose "Programmatic access" to provide access via the AWS CLI, SDKs, or APIs.
* **Attach Policies**:
  * Select "Attach existing policies directly".
  * Attach the `AmazonAthenaFullAccess` managed policy to grant full access to Athena.
  * Attach the `AWSGlueConsoleFullAccess` policy to allow access to the AWS Glue Data Catalog, which Athena uses for metadata.
  * Ensure the user has the necessary permissions to access the relevant Amazon S3 buckets where your data resides.
* **Complete User Creation**:
  * Review the permissions and create the user.

**2. Optinonally restrict IAM Permissions to Specific Athena Workgroups**

To enhance security, you can limit the IAM user's permissions to specific Athena workgroups. This ensures Dot accesses only the intended resources.

* **Define the Policy**:
  * Create a custom IAM policy that grants permissions solely to the desired workgroups.
  * Specify the workgroup ARNs in the policy's `Resource` section.
* **Example Policy**:

```json
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "athena:StartQueryExecution",
          "athena:StopQueryExecution",
          "athena:GetQueryExecution",
          "athena:GetQueryResults"
        ],
        "Resource": [
          "arn:aws:athena:us-east-1:123456789012:workgroup/your_workgroup_name"
        ]
      },
      {
        "Effect": "Allow",
        "Action": [
          "glue:GetDatabase",
          "glue:GetTable",
          "glue:GetPartitions"
        ],
        "Resource": "*"
      },
      {
        "Effect": "Allow",
        "Action": [
          "s3:GetObject",
          "s3:ListBucket"
        ],
        "Resource": [
          "arn:aws:s3:::your_bucket_name",
          "arn:aws:s3:::your_bucket_name/*"
        ]
      }
    ]
  }

```

 Replace `your_workgroup_name` with the name of your Athena workgroup and `your_bucket_name` with your S3 bucket name.

* **Attach the Policy**:
  * Navigate to the IAM console.
  * Select "Policies" and then "Create policy".
  * Use the JSON editor to input your custom policy.
  * Review and create the policy.
  * Attach this policy to the IAM user created for Dot.

For more details on controlling workgroup access with IAM policies, refer to the [AWS Athena documentation](https://docs.aws.amazon.com/athena/latest/ug/workgroups-iam-policy.html).

**3. Configure Network Access**

Ensure that Dot can communicate with Athena by allowing outbound access to the following IP addresses, especially if your organization uses a firewall or network policies:

* `3.229.110.216`
* `3.122.135.165`

**4. Obtain the Access Key ID and Secret Access Key**

After creating the IAM user, generate the access keys required for programmatic access:

* **Generate Access Keys via AWS Management Console**:
  * In the IAM console, select "Users" and click on the username you created (e.g., `dot_athena_user`).
  * Navigate to the "Security credentials" tab.
  * In the "Access keys" section, click "Create access key".
  * Choose the appropriate use case (e.g., "Command Line Interface (CLI)") and click "Next".
  * Optionally, add a description tag for the access key, then click "Create access key".
  * The Access Key ID and Secret Access Key will be displayed. **This is the only time the Secret Access Key will be available**, so ensure you securely store it, either by downloading the `.csv` file or copying the keys to a secure location.

**5. Connect Dot to Amazon Athena**

With the IAM user and network configurations in place, proceed to connect Dot to Athena:

* Navigate to Dot's integration settings.
* Select "Add Integration" and choose Amazon Athena from the list of available data sources.
* Enter the Access Key ID and Secret Access Key of the IAM user created earlier.
* Specify the AWS region where your Athena instance is located.
* Provide any additional configuration details as prompted by Dot.

By following these steps, Dot will establish a secure connection to Amazon Athena, enabling efficient data access while adhering to security best practices.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.getdot.ai/integrations/databases/aws-athena.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.