Skip to content

Commit

Permalink
refactor permissions
Browse files Browse the repository at this point in the history
  • Loading branch information
iakov-aws committed Oct 17, 2023
1 parent 6e49e81 commit bd081be
Showing 1 changed file with 13 additions and 19 deletions.
32 changes: 13 additions & 19 deletions cfn-templates/cid-cfn.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1010,24 +1010,30 @@ Resources:
Statement:
- Effect: Allow
Action:
- athena:ListDataCatalogs
- lakeformation:GetDataAccess
- athena:ListDataCatalogs
- athena:ListDatabases
- athena:ListTableMetadata
Resource: "*" # required https://docs.aws.amazon.com/lake-formation/latest/dg/access-control-underlying-data.html
# Cannot restrict this. See https://docs.aws.amazon.com/athena/latest/ug/datacatalogs-example-policies.html#datacatalog-policy-listing-data-catalogs

- Effect: Allow
Action:
- athena:ListDatabases
- s3:PutObject
- s3:GetObject
- s3:ListBucket
- s3:GetBucketLocation
- glue:GetPartitions
- glue:GetDatabases
- glue:GetTable
- glue:GetTables
Resource:
- !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog'
- Fn::If:
- NeedDatabase
- !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase}
- !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName}
- Fn::If:
- NeedDatabase
- !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${CidDatabase}/*
- !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/*
- Effect: Allow
Action:
- athena:ListDatabases
- athena:ListDataCatalogs
- athena:ListDatabases
Expand All @@ -1036,24 +1042,12 @@ Resources:
- athena:StartQueryExecution
- athena:GetQueryResultsStream
- athena:ListTableMetadata
- s3:ListBucketVersions

Resource:
- Fn::If:
- NeedDatabase
- !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase}
- !Sub arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName}
- !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:datacatalog/${GlueDataCatalog}'
- !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog'
- !Sub 'arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog'
- Fn::If:
- NeedDatabase
- !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${CidDatabase}
- !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${DatabaseName}
- Fn::If:
- NeedDatabase
- !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${CidDatabase}/*
- !Sub arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${DatabaseName}/*
- Fn::If:
- NeedAthenaWorkgroup
- !Sub 'arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${MyAthenaWorkGroup}'
Expand Down

0 comments on commit bd081be

Please sign in to comment.