Push-to-Warehouse Setup: AWS Athena
In this guide, you will be setting up a connection to a data warehouse destination you own. Reach out to your Customer Success Manager or [email protected] to confirm that your Modern Treasury plan includes the Push to Warehouse capability.
Prerequisites
- Please reference our Push to Warehouse IP Address documentation.
Step 1: Create a destination bucket, service policy, and user
Create Athena target bucket
Follow these steps to create a bucket to be used for staging data before transferring to a destination.
- Navigate to the S3 service page.
- Click Create bucket.
- Enter a Bucket name, select an AWS Region, and modify any of the default settings as desired. Note: Object Ownership can be set to "ACLs disabled" and Block Public Access settings for this bucket can be set to "Block all public access" as recommended by AWS. Make note of the Bucket name and AWS Region.
- Click Create bucket.
Create Athena access policy
- Navigate to the IAM service page, click on the Policies navigation tab, and click Create policy.
- Click the JSON tab, and paste the following policy, being sure to replace
BUCKET
andSCHEMA
with the name of the buckets and database/schema/folder where Athena should write the data.BUCKET
should refer to the bucket created in the previous step. Note: theSCHEMA
used below does not need to be created ahead of time. If it does not exist, it will be created automatically before transferring data.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAthenaAccess",
"Effect": "Allow",
"Action": "athena:*",
"Resource": "*"
},
{
"Sid": "AllowGlueAccessToDestinationDatabaseAndTables",
"Effect": "Allow",
"Action": [
"glue:GetDatabases",
"glue:GetDatabase",
"glue:GetTables",
"glue:GetTable",
"glue:GetPartitions",
"glue:CreateTable",
"glue:CreateDatabase",
"glue:UpdateTable",
"glue:DeleteTable"
],
"Resource": [
"arn:aws:glue:*:239674069128:catalog",
"arn:aws:glue:*:239674069128:database/SCHEMA",
"arn:aws:glue:*:239674069128:database/default",
"arn:aws:glue:*:239674069128:table/SCHEMA/*"
]
},
{
"Sid": "AllowS3AccessToBucket",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::BUCKET",
"arn:aws:s3:::BUCKET/*"
]
}
]
}
Athena vs. S3 permissions
Because Athena uses S3 as the underlying storage layer, the Resource access requested in the policy is scoped down via resource-specific permissions in the S3 actions.
Schema vs. Database
During destination onboarding, you will be asked to provide both a "schema" and a "database". Though those are mostly synonymous in Athena, they are used for two different purposes here:
schema
should be the name of the folder in S3 under which the final data will be written.database
should be the name of the folder in S3 in which the Athena query results are written (i.e., the automatically generatedathena_output/
data).
- Click through to the Review step, choose a name for the policy, for example,
transfer-service-policy
(this will be referenced in the next step), add a description, and click Create policy.
Create Athena writer user
- Navigate to the IAM service page, click the Users navigation tab, and click Add users.
- Enter a User name for the service, for example,
transfer-service-user
. Under Select AWS access type, select the Access key - Programatic access option. Click Next: Permissions. - Click the Attach existing policies directly option, and search for the name of the policy created in the previous step. Select the policy, and click Next: Tags.
- Click Next: Review and click Create user.
- In the Success screen, record the Access key ID and the Secret access key
Step 2: Add your destination
- Securely share your database, schema, workgroup, bucket name, bucket region, bucket access ID, and bucket secret key with us to complete the connection.
Updated 3 months ago