# Create a data source connection
<a name="connect-to-a-data-source"></a>

To use an Athena data source connector, you create the AWS Glue connection that stores the connection information about the connector and your data source. When you create the connection, you give the data source a name that you will use to reference your data source in your SQL queries.

You can create and configure a data source connection in Athena by using the [console](connect-to-a-data-source-console-steps.md) or the [CreateDataCatalog API](https://docs.aws.amazon.com/athena/latest/APIReference/API_CreateDataCatalog.html) operations.

**Topics**
+ [

# Permissions to create and use a data source in Athena
](connect-to-a-data-source-permissions.md)
+ [

# Use the Athena console to connect to a data source
](connect-to-a-data-source-console-steps.md)
+ [

# Use the AWS Serverless Application Repository to deploy a data source connector
](connect-data-source-serverless-app-repo.md)
+ [

# Create a VPC for a data source connector or AWS Glue connection
](athena-connectors-vpc-creation.md)
+ [

# Pull ECR images to your AWS account
](pull-ecr-customer-account.md)
+ [

# Register your connection as a Glue Data Catalog
](register-connection-as-gdc.md)
+ [

# Enable cross-account federated queries
](xacct-fed-query-enable.md)
+ [

# Update a data source connector
](connectors-updating.md)

# Permissions to create and use a data source in Athena
<a name="connect-to-a-data-source-permissions"></a>

To create and use a data source, you need the following sets of permissions.
+ AmazonAthenaFullAccess that provides full access to Amazon Athena and scoped access to the dependencies needed to enable querying, writing results, and data management. For more information, see [AmazonAthenaFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonAthenaFullAccess.html) in the AWS Managed Policy Reference Guide.
+ Permissions to call the CreateDataCatalog API. These permissions are only needed when you create a data source that integrates with Glue connections. For more information on the example policy, see [Permissions required to create connector and Athena catalog](athena-catalog-access.md).
+ If you want to use Lake Formation fine-grain access control, in addition to the permissions listed above, you also need the following permissions.

------
#### [ JSON ]

****  

  ```
  {
    "Version":"2012-10-17",		 	 	 
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "lakeformation:RegisterResource",
          "iam:ListRoles",
          "glue:CreateCatalog",
          "glue:GetCatalogs",
          "glue:GetCatalog"
        ],
        "Resource": "*"
      }
    ]
  }
  ```

------

# Use the Athena console to connect to a data source
<a name="connect-to-a-data-source-console-steps"></a>

You can use the Athena console to create and configure a data source connection.

**To create a connection to a data source**

1. Open the Athena console at [https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/home).

1. If the console navigation pane is not visible, choose the expansion menu on the left.  
![\[Choose the expansion menu.\]](http://docs.aws.amazon.com/athena/latest/ug/images/nav-pane-expansion.png)

1. In the navigation pane, choose **Data sources and catalogs**.

1. On the **Data sources and catalogs** page, choose **Create data source**.

1. For **Choose a data source**, choose the data source that you want Athena to query, considering the following guidelines:
   + Choose a connection option that corresponds to your data source. Athena has prebuilt data source connectors that you can configure for sources including MySQL, Amazon DocumentDB, and PostgreSQL.
   + Choose **S3 - AWS Glue Data Catalog** if you want to query data in Amazon S3 and you are not using an Apache Hive metastore or one of the other federated query data source options on this page. Athena uses the AWS Glue Data Catalog to store metadata and schema information for data sources in Amazon S3. This is the default (non-federated) option. For more information, see [Use AWS Glue Data Catalog to connect to your data](data-sources-glue.md). For steps using this workflow, see [Register and use data catalogs in Athena](gdc-register.md).
   + Choose **S3 - Apache Hive metastore** to query data sets in Amazon S3 that use an Apache Hive metastore. For more information about this option, see [Connect Athena to an Apache Hive metastore](connect-to-data-source-hive-connecting-athena-to-an-apache-hive-metastore.md).
   + Choose **Custom or shared connector** if you want to create your own data source connector for use with Athena. For information about writing a data source connector, see [Develop a data source connector using the Athena Query Federation SDK](connect-data-source-federation-sdk.md).

1. Choose **Next**.

1. On the **Enter data source details** page, for **Data source name**, use the name autogenerated name, or enter a unique name that you want to use in your SQL statements when you query the data source from Athena. The name can be up to 127 characters and must be unique within your account. It cannot be changed after you create it. Valid characters are a-z, A-Z, 0-9, \$1 (underscore), @ (at sign) and - (hyphen). The names `awsdatacatalog`, `hive`, `jmx`, and `system` are reserved by Athena and cannot be used for data source names. 

1. If the data source you choose integrates with AWS Glue connections.

   1. For **AWS Glue connection details**, enter the information required. A connection contains the properties that are required to connect to a particular data source. The properties required vary depending on the connection type. For more information on properties related to your connector, see [Available data source connectors](connectors-available.md). For information about additional connection properties, see [AWS Glue connection properties](https://docs.aws.amazon.com/glue/latest/dg/connection-properties.html) in the *AWS Glue User Guide*.
**Note**  
When you update the Glue connection properties, the Lambda connector needs to be restarted to get the updated properties. To do this, edit the environment properties and save it without actually changing anything. 
When you update a Glue connection, the following properties will not automatically get updated in the corresponding Lambda function. You must manually update your Lambda function for these properties.  
Lambda VPC configuration – `security_group_ids`, `subnet_ids`
Lambda execution role – `spill_bucket`, `secret_name`, `spill_kms_key_id`

   1. For **Lambda execution IAM role**, choose one of the following:
      + **Create and use a new execution role** – (Default) Athena creates an execution role that it will then use to access resources in AWS Lambda on your behalf. Athena requires this role to create your federated data source.
      + **Use an existing execution role** – Use this option to choose an existing execution role. For this option, choose execution role that you want to use from **Execution role** drop-down.

1. If the data source you choose does not integrate with AWS Glue connections. 

   1. For **Lambda function**, choose **Create Lambda function**. The function page for the connector that you chose opens in the AWS Lambda console. The page includes detailed information about the connector.

   1. Under **Application settings**, read the description for each application setting carefully, and then enter values that correspond to your requirements.

      The application settings that you see vary depending on the connector for your data source. The minimum required settings include:
      + **AthenaCatalogName** – A name, in lower case, for the Lambda function that indicates the data source that it targets, such as `cloudwatchlogs`.
      + **SpillBucket** – An Amazon S3 bucket in your account to store data that exceeds Lambda function response size limits.
**Note**  
Spilled data is not reused in subsequent executions and can be safely deleted. Athena does not delete this data for you. To manage these objects, consider adding an object lifecycle policy that deletes old data from your Amazon S3 spill bucket. For more information, see [Managing your storage lifecycle](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-lifecycle-mgmt.html) in the Amazon S3 User Guide.

   1. Select **I acknowledge that this app creates custom IAM roles and resource policies**. For more information, choose the **Info** link.

   1. Choose **Deploy**. When the deployment is complete, the Lambda function appears in the **Resources** section in the Lambda console.

      After you deploy the data source connector to your account, you can connect Athena to it.

   1. Return to the **Enter data source details** page of the Athena console.

   1. In the **Connection details** section, choose the refresh icon next to the **Select or enter a Lambda function** search box.

   1. Choose the name of the function that you just created in the Lambda console. The ARN of the Lambda function displays.

1. (Optional) For **Tags**, add key-value pairs to associate with this data source. For more information about tags, see [Tag Athena resources](tags.md).

1. Choose **Next**.

1. On the **Review and create** page, review the data source details. To make changes, choose **Edit**. 

1. Read the information in **Athena will create resources in your account**. If you agree, select **I acknowledge that Athena will create resources on my behalf**.

1. Choose **Create data source**. **Athena ** will create the following resources for you.
   + Lambda execution IAM role
   + AWS Glue connection (only if the data source is compatible with AWS Glue Connections)
   + Lambda function

The **Data source details** section of the page for your data source shows information about your new connector. You can now use the connector in your Athena queries. 

For information about using data connectors in queries, see [Run federated queries](running-federated-queries.md).

# Use the AWS Serverless Application Repository to deploy a data source connector
<a name="connect-data-source-serverless-app-repo"></a>

To deploy a data source connector, you can use the [AWS Serverless Application Repository](https://aws.amazon.com/serverless/serverlessrepo/) instead of using a AWS Glue connection.

**Note**  
We recommend that you use the SAR only if you have a custom connector or require the use of an older connector. Otherwise, the use of the Athena console is recommended. 

You can use the AWS Serverless Application Repository to find the connector that you want to use, provide the parameters that the connector requires, and then deploy the connector to your account. Then, after you deploy the connector, you use the Athena console to make the data source available to Athena.

## Deploying the connector to Your Account
<a name="connect-data-source-serverless-app-repo-deploying"></a>

**To use the AWS Serverless Application Repository to deploy a data source connector to your account**

1. Sign in to the AWS Management Console and open the **Serverless App Repository**.

1. In the navigation pane, choose **Available applications**.

1. Select the option **Show apps that create custom IAM roles or resource policies**.

1. In the search box, type the name of the connector. For a list of prebuilt Athena data connectors, see [Available data source connectors](connectors-available.md).

1. Choose the name of the connector. Choosing a connector opens the Lambda function's **Application details** page in the AWS Lambda console.

1. On the right side of the details page, for **Application settings**, fill in the required information. The minimum required settings include the following. For information about the remaining configurable options for data connectors built by Athena, see the corresponding [Available connectors](https://github.com/awslabs/aws-athena-query-federation/wiki/Available-Connectors) topic on GitHub.
   + **AthenaCatalogName** – A name for the Lambda function in lower case that indicates the data source that it targets, such as `cloudwatchlogs`.
   + **SpillBucket** – Specify an Amazon S3 bucket in your account to receive data from any large response payloads that exceed Lambda function response size limits.

1. Select **I acknowledge that this app creates custom IAM roles and resource policies**. For more information, choose the **Info** link.

1. At the bottom right of the **Application settings** section, choose **Deploy.** When the deployment is complete, the Lambda function appears in the **Resources** section in the Lambda console.

## Making the connector available in Athena
<a name="connect-data-source-serverless-app-repo-making-the-connector-available-in-athena"></a>

Now you are ready to use the Athena console to make the data source connector available to Athena.

**To make the data source connector available to Athena**

1. Open the Athena console at [https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/home).

1. If the console navigation pane is not visible, choose the expansion menu on the left.  
![\[Choose the expansion menu.\]](http://docs.aws.amazon.com/athena/latest/ug/images/nav-pane-expansion.png)

1. In the navigation pane, choose **Data sources and catalogs**.

1. On the **Data sources and catalogs** page, choose **Create data source**.

1. For **Choose a data source**, choose the data source for which you created a connector in the AWS Serverless Application Repository. This tutorial uses **Amazon CloudWatch Logs** as the federated data source.

1. Choose **Next**.

1. On the **Enter data source details** page, for **Data source name**, enter the name that you want to use in your SQL statements when you query the data source from Athena (for example, `CloudWatchLogs`). The name can be up to 127 characters and must be unique within your account. It cannot be changed after you create it. Valid characters are a-z, A-Z, 0-9, \$1 (underscore), @ (at sign) and - (hyphen). The names `awsdatacatalog`, `hive`, `jmx`, and `system` are reserved by Athena and cannot be used for data source names. 

1. In the **Connection details** section, use the **Select or enter a Lambda function** box to choose the name of the function that you just created. The ARN of the Lambda function displays.

1. (Optional) For **Tags**, add key-value pairs to associate with this data source. For more information about tags, see [Tag Athena resources](tags.md).

1. Choose **Next**.

1. On the **Review and create** page, review the data source details, and then choose **Create data source**. 

1. The **Data source details** section of the page for your data source shows information about your new connector. You can now use the connector in your Athena queries. 

   For information about using data connectors in queries, see [Run federated queries](running-federated-queries.md).

# Create a VPC for a data source connector or AWS Glue connection
<a name="athena-connectors-vpc-creation"></a>

Some Athena data source connectors and AWS Glue connections require a VPC and a security group. This topic shows you how to create a VPC with a subnet and a security group for the VPC. As part of this process, you retrieve the IDs for the VPC, subnet, and security group that you create. These IDs are required when you configure your AWS Glue connection or data source connector for use with Athena.

**To create a VPC for an Athena data source connector**

1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. Choose **Create VPC**.

1. On the **Create VPC** page, under **VPC Settings**, for **Resources to create**, choose **VPC and more**.

1. Under **Name tag auto-generation**, for **Auto-generate**, enter a value that will be used to generate name tags for all resources in your VPC.

1. Choose **Create VPC**.

1. When the process completes, choose **View VPC**.

1. In the **Details** section, for **VPC ID**, copy your VPC ID for later reference.

Now you are ready to retrieve the subnet ID for the VPC that you just created.

**To retrieve your VPC subnet ID**

1. In the VPC console navigation pane, choose **Subnets**.

1. Select the name of a subnet whose **VPC** column has the VPC ID that you noted.

1. In the **Details** section, for **Subnet ID**, copy your subnet ID for later reference.

Next, you create a security group for your VPC.

**To create a security group for your VPC**

1. In the VPC console navigation pane, choose **Security**, **Security Groups**.

1. Choose **Create security group**.

1. On the **Create security group** page, enter the following information:
   + For **Security group name**, enter a name for your security group.
   + For **Description**, enter a description for the security group. A description is required.
   + For **VPC**, choose the VPC ID of the VPC that you created for your data source connector.
   + For **Inbound rules** and **Outbound rules**, add any inbound and outbound rules that you require.

1. Choose **Create security group**.

1. On the **Details** page for the security group, copy the **Security group ID** for later reference.

## Important considerations for using VPC with Athena connectors
<a name="vpc-warning-instructions"></a>

The following instructions apply to all Athena connectors, as all connectors can utilize VPC.

**Note**  
When using a VPC with AWS Glue connections, you will need to set up the following PrivateLink endpoints:  
Amazon S3
AWS Glue
AWS Secrets Manager

Alternatively, you can use public internet access, though this is not recommended for security reasons.

**Warning**  
Using public internet access may expose your resources to additional security risks. It is strongly recommended to use PrivateLink endpoints for enhanced security in your VPC configuration.

# Pull ECR images to your AWS account
<a name="pull-ecr-customer-account"></a>

Athena federation connector Lambda functions use container images that are stored in Athena-managed Amazon ECR repositories. To perform security scans on these container images, you must first copy them to an Amazon ECR repository in your account. This section provides step-by-step instructions on how to copy an image to your repository and configure your Lambda function to use the image.

## Prerequisites
<a name="pull-ecr-customer-account-prereq"></a>
+ An Athena Federation Connector – The connector can be created through any source, provided it uses a container image.
**Note**  
To verify image deployment, check the Image tab in your Athena Federation Connector Lambda
+ Docker installed and running
+ AWS CLI installed
+ Account credentials with appropriate pull permissions

## How to transfer an image
<a name="image-transfer-procedure"></a>

1. Locate the Image URI from your Athena Federation Connector Lambda  
**Example**  

   ```
   account_id_1.dkr.ecr.us-east-1.amazonaws.com/athena-federation-repository:2025.15.1
   ```

1. Generate a Docker authentication token for the Athena-managed account:

   ```
   aws ecr get-login-password --region regionID | docker login --username AWS --password-stdin athena-managed-registry
   ```

   Where:
   + *regionID* is your deployment region (e.g., us-east-1)
   + *athena-managed-registry* is the registry portion of the Image URI (e.g., account\$1id\$11.dkr.ecr.us-east-1.amazonaws.com)

1. Pull the image from the Athena managed account:

   ```
   docker pull athenaImageURI
   ```

1. Authenticate Docker to your registry:

   ```
   aws ecr get-login-password --region regionID | docker login --username AWS --password-stdin customer-registry
   ```

   Where *customer-registry* is your ECR registry (e.g., account\$1id\$12.dkr.ecr.us-east-1.amazonaws.com)

1. Tag the pulled image for your repository:

   ```
   docker tag athenaImageURI yourImageURI
   ```

1. Push the image to your repository:

   ```
   docker push yourImageURI
   ```

1. Update your Athena Federation Connector:

   1. Navigate to your Lambda function

   1. Select **Deploy New Image**

   1. Enter your new image URI

   The Athena federated connector image is now located in your account, which allows you to perform CVE scans on the image.

# Register your connection as a Glue Data Catalog
<a name="register-connection-as-gdc"></a>

After you create your data source, you can use the Athena console to register your connection as a Glue Data Catalog. Once registered, you can manage your federated data catalog and enable fine-grained access control using Lake Formation. For more information, see [Creating a federated catalog](https://docs.aws.amazon.com/lake-formation/latest/dg/create-fed-catalog-data-source.html).

You can register the following connectors to integrate with AWS Glue for fine-grained access control.
+ Redshift
+ BigQuery
+ DynamoDB (Preview)
+ Snowflake (Preview)
+ MySQL
+ PostgreSQL
+ AWS CMDB
+ Timestream
+ Azure Data Lake Storage
+ Azure Synapse
+ IBM Db2
+ IBM Db2 AS/400 (Db2 iSeries)
+ DocumentDB
+ Google Cloud Storage
+ HBase
+ OpenSearch
+ Oracle
+ SAP HANA
+ SQL Server
+ TPC-DS
+ Cloudera Hive
+ Cloudwatch
+ Cloudwatch Metrics
+ Teradata
+ Vertica

## Prerequisites
<a name="register-connection-as-gdc-pre"></a>

Before you begin, you must complete the following prerequisites.
+ Ensure that you have the roles and permissions needed to register locations. For more information, see the [Requirements for roles](https://docs.aws.amazon.com/lake-formation/latest/dg/registration-role.html) in the AWS Lake Formation Developer Guide.
+ Ensure that you have the required Lake Formation roles. For more information, see [Prerequisites for connecting the Data Catalog to external data sources](https://docs.aws.amazon.com/lake-formation/latest/dg/federated-catalog-data-connection.html) in the AWS Lake Formation Developer Guide.
+ The role that you register in Glue must have the permissions as listed in the following example.

------
#### [ JSON ]

****  

  ```
  {
      "Version":"2012-10-17",		 	 	 
      "Statement": [
          {
              "Effect": "Allow",
              "Action": [
                  "s3:ListBucket",
                  "s3:GetObject"
              ],
              "Resource": [
      "arn:aws:s3:::amzn-s3-demo-bucket/spill-prefix/*",
      "arn:aws:s3:::amzn-s3-demo-bucket/spill-prefix"
              ]
          },
          {
              "Sid": "lambdainvoke",
              "Effect": "Allow",
              "Action": "lambda:InvokeFunction",
              "Resource": "arn:aws:lambda:us-east-1:111122223333:function:lambda_function_name"
          },
          {
              "Sid": "gluepolicy",
              "Effect": "Allow",
              "Action": "glue:*",
              "Resource": [
              "arn:aws:glue:us-east-1:111122223333:connection/<connection_name>",
      "arn:aws:glue:us-east-1:111122223333:catalog"
              ]
          }
      ]
  }
  ```

------
+ You are responsible to determine and manage the appropriate data access. With fine-grain access controls on federated queries, it is recommended that you use the [AmazonAthenaFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonAthenaFullAccess.html) managed policy. If you want to use your own policy, you must ensure that the users executing federated queries do not have access to the following resources.
  + `lambda:InvokeFunction` on the Lambda connector that is specified in Glue connection
  + Spill bucket location access in IAM
  + Access to the Glue connection associated with your federated catalog
  + Lake Formation Role in IAM

## Register your connection using console
<a name="register-connection-as-gdc-steps"></a>

**To register your connection as a Glue Data Catalog**

1. Open the Athena console at [https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/home).

1. In the navigation pane, choose **Data sources and catalogs**.

1. From the **Data sources** list, choose the data source that you created to open the **Data source details** page. 

1. Choose **Get started with AWS Lake Formation**.
**Note**  
After you choose this option, you must manage your Lambda function on your own. Athena will not delete your Lambda function.

1. For **Data catalog name** provide a unique name for your catalog.

1. Choose the **Lake Formation IAM role** that grants permission to Lake Formation to invoke the Lambda function. Make sure the role has the permissions as shown in [the example](#register-connection-as-gdc-pre).

1. In the text box, type **confirm** to delete the Athena data source, replace it with a Glue data catalog registration.
**Note**  
This action will delete your Athena data source and create a new Glue Data Catalog in its place. After this process is completed, you may need to update queries that access the data source to refer to the newly created Glue data catalog instead.

1. Choose **Create catalog and go to Lake Formation**. This opens the Lake Formation console where you can manage the catalog and grant permissions to users on catalogs, databases and tables.

# Enable cross-account federated queries
<a name="xacct-fed-query-enable"></a>

Federated query allows you to query data sources other than Amazon S3 using data source connectors deployed on AWS Lambda. The cross-account federated query feature allows the Lambda function and the data sources that are to be queried to be located in different accounts.

**Note**  
Use this method only if you have not registered your federated data source with the AWS Glue Data Catalog. If you have registered your data source with the AWS Glue Data Catalog, use the AWS Glue Data Catalog cross account features and permissions model. For more information, see [Granting cross-account access](https://docs.aws.amazon.com/glue/latest/dg/cross-account-access.html) in the *AWS Glue User Guide*.

As a data administrator, you can enable cross-account federated queries by sharing your data connector with a data analyst's account or, as a data analyst, by using a shared Lambda ARN from a data administrator to add to your account. When configuration changes are made to a connector in the originating account, the updated configuration is automatically applied to the shared instances of the connector in other user's accounts.

## Considerations and limitations
<a name="xacct-fed-query-enable-considerations-and-limitations"></a>
+ The cross-account federated query feature is available for non-Hive metastore data connectors that use a Lambda-based data source.
+ The feature is not available for the AWS Glue Data Catalog data source type. For information about cross-account access to AWS Glue Data Catalogs, see [Configure cross-account access to AWS Glue data catalogs](security-iam-cross-account-glue-catalog-access.md).
+ If the response from your connector's Lambda function exceeds the Lambda response size limit of 6MB, Athena automatically encrypts, batches, and spills the response to an Amazon S3 bucket that you configure. The entity running the Athena query must have access to the spill location in order for Athena to read the spilled data. We recommend that you set an Amazon S3 lifecycle policy to delete objects from the spill location since the data is not needed after the query completes. 
+ Using federated queries across AWS Regions is not supported. 

## Required permissions
<a name="xacct-fed-query-enable-required-permissions"></a>

To set up the required permissions, actions must be taken in both Account A (*444455556666*) and Account B (*111122223333*).

### Actions for Account A
<a name="xacct-fed-query-enable-required-permissions-account-a"></a>

For data administrator Account A to share a Lambda function with data analyst Account B, Account B requires Lambda invoke function and spill bucket access. Accordingly, Account A should add a [ resource-based policy](https://docs.aws.amazon.com/lambda/latest/dg/access-control-resource-based.html) to the Lambda function and [principal](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-policy-language-overview.html) access to its spill bucket in Amazon S3.

1. The following policy grants Lambda invoke function permissions to Account B on a Lambda function in Account A.

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Sid": "CrossAccountInvocationStatement",
               "Effect": "Allow",
               "Principal": {
                   "AWS": [
                       "arn:aws:iam::111122223333:user/username"
                   ]
               },
               "Action": "lambda:InvokeFunction",
               "Resource": "arn:aws:lambda:us-east-1:444455556666:function:lambda-function-name"
           }
       ]
   }
   ```

------

1. The following policy allows spill bucket access to the principal in Account B.

------
#### [ JSON ]

****  

   ```
   {
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Effect": "Allow",
               "Principal": {
               "AWS": ["arn:aws:iam::111122223333:user/username"]
               },
               "Action": [
                   "s3:GetObject",
                   "s3:ListBucket"
                ],
               "Resource": [
                   "arn:aws:s3:::spill-bucket",
                   "arn:aws:s3:::spill-bucket/*"
               ]
           }
        ]
    }
   ```

------

1. If the Lambda function is encrypting the spill bucket with a AWS KMS key instead of the default encryption offered by the federation SDK, the AWS KMS key policy in Account A must grant access to the user in Account B, as in the following example.

   ```
   { 
       "Sid": "Allow use of the key", 
       "Effect": "Allow", 
       "Principal": 
       { 
          "AWS": ["arn:aws:iam::account-B-id:user/username"] 
       }, 
       "Action": [ "kms:Decrypt" ], 
       "Resource": "*" // Resource policy that gets placed on the KMS key. 
    }
   ```

### Actions for Account B
<a name="xacct-fed-query-enable-required-permissions-account-b"></a>

For Account A to share its connector with Account B, Account B must create a role called `AthenaCrossAccountCreate-account-A-id` that Account A assumes by calling the AWS Security Token Service [AssumeRole](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html) API action.

1. Use the IAM console or the AWS CLI to create the `AthenaCrossAccountCreate-account-A-id` role in as a custom trust policy role. A custom trust policy delegates access and allows others to perform actions in your AWS account. For steps, see [Create a role using custom trust policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) in the *IAM User Guide*.

   The trust relationship should have a principal object in which the key is `AWS` and the value is the ARN of Account A, as in the following example.

   ```
   ...
   "Principal": 
   { 
      "AWS": ["arn:aws:iam::account-A-id:user/username"]
   }, 
   ...
   ```

1. Also in Account B, create a policy like the following that allows the `CreateDataCatalog` action. 

   ```
   {
    "Effect": "Allow",
    "Action": "athena:CreateDataCatalog",
    "Resource": "arn:aws:athena:*:account-B-id:datacatalog/*"
   }
   ```

1. Add the policy that allows the `CreateDataCatalog` action to the `AthenaCrossAccountCreate-account-A-id` role that you created using Account B. 

## Sharing a data source in Account A with Account B
<a name="xacct-fed-query-enable-sharing-a-lambda-data-source-in-account-a-with-account-b"></a>

After permissions are in place, you can use the **Data sources and catalogs** page in the Athena console to share a data connector in your account (Account A) with another account (Account B). Account A retains full control and ownership of the connector. When Account A makes configuration changes to the connector, the updated configuration applies to the shared connector in Account B.

**Note**  
You can only share a Lambda type data source and cannot share data sources that use AWS Glue connections. For more information, see [Available data source connectors](connectors-available.md).

**To share a Lambda data source in Account A with Account B**

1. Open the Athena console at [https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/home).

1. If the console navigation pane is not visible, choose the expansion menu on the left.  
![\[Choose the expansion menu.\]](http://docs.aws.amazon.com/athena/latest/ug/images/nav-pane-expansion.png)

1. Choose **Data sources and catalogs**.

1. On the **Data sources and catalogs** page, choose the link of the connector that you want to share.

1. On the details page for a Lambda data source, from the **Actions** menu in the top right corner, choose **Share**.

1. In the **Share *Lambda-name* with another account?** dialog box, enter the required information.
   + For **Data source name**, enter the name of the copied data source as you want it to appear in the other account.
   + For **Account ID**, enter the ID of the account with which you want to share your data source (in this case, Account B).

1. Choose **Share**. The shared data connector that you specified is created in Account B. Configuration changes to the connector in Account A apply to the connector in Account B.

## Adding a shared data source from Account A to Account B
<a name="xacct-fed-query-enable-add-a-shared-lambda-function-arn-to-your-account"></a>

As a data analyst, you may be given the ARN of a connector to add to your account from a data administrator. You can use the **Data sources and catalogs** page of the Athena console to add the Lambda ARN provided by your administrator to your account.

**To add the Lambda ARN of a shared data connector to your account**

1. Open the Athena console at [https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/home).

1. If the navigation pane is not visible, choose the expansion menu on the left.

1. Choose **Data sources and catalogs**.

1. On the **Data sources and catalogs** page, choose **Create data source**.

1. On the **Choose a data source** page, choose **Custom or shared connector**.

1. Choose **Next**.

1. On the **Enter data source details** page, in the **Connection details** section, for **Select or enter a Lambda function**, enter the Lambda ARN of Account A.

1. Choose **Next**.

1. On the **Review and create** page, choose **Create data source**.

## Troubleshooting
<a name="xacct-fed-query-enable-troubleshooting"></a>

If you receive an error message that Account A does not have the permissions to assume a role in Account B, make sure that the name of the role created in Account B is spelled correctly and that it has the proper policy attached.

# Update a data source connector
<a name="connectors-updating"></a>

Athena recommends that you regularly update the data source connectors that you use to the latest version to take advantage of new features and enhancements. Updating a data source connector includes the following steps:

# Glue connections (recommended)
<a name="connectors-updating-gc"></a>

## Find the latest Athena Query Federation version
<a name="connectors-updating-finding-the-latest-version"></a>

The latest version number of Athena data source connectors corresponds to the latest Athena Query Federation version. In certain cases, the GitHub releases can be slightly newer than what is available on the AWS Serverless Application Repository (SAR).

**To find the latest Athena Query Federation version number**

1. Visit the GitHub URL [https://github.com/awslabs/aws-athena-query-federation/releases/latest](https://github.com/awslabs/aws-athena-query-federation/releases/latest).

1. Note the release number in the main page heading in the following format:

   **Release v** *year*.*week\$1of\$1year*.*iteration\$1of\$1week* **of Athena Query Federation **

   For example, the release number for **Release v2023.8.3 of Athena Query Federation** is 2023.8.3.

## Finding your connector version
<a name="connectors-find-version"></a>

Follow these steps to determine which version of your connector you are currently using.

**To find your connector version**

1. On the Lambda console page for your Lambda application, choose the **Image** tab.

1. Under Image tab, locate the Image URI. The URI follows this format:

   ```
   Image_location_account.dkr.ecr.us-west-2.amazonaws.com/athena-federation-repository:Version
   ```

1. The version number in the Image URI follows the format `year.week_of_year.iteration_of_week` (for example, `2021.42.1`). This number represents your connector version.

## Deploying a new connector version
<a name="connectors-deploy-new-version"></a>

Follow these steps to deploy a new version of your connector.

**To deploy a new connector version**

1. Find the desired version by following the procedure to find the latest Athena Query Federation version.

1. In the federated connector Lambda function, locate the ImageURI and update the tag to the desired version. For example:

   From:

   ```
   509399631660.dkr.ecr.us-east-1.amazonaws.com/athena-federation-repository:2025.15.1
   ```

   To:

   ```
   509399631660.dkr.ecr.us-east-1.amazonaws.com/athena-federation-repository:2025.26.1
   ```

**Note**  
If your current version is older than 2025.15.1, be aware of these important changes:  
The repository name has been updated to `athena-federation-repository`
For versions before this update, the command override may not be set. You must set it to the composite handler.

# Legacy connections
<a name="connectors-updating-legacy"></a>

## Find the latest Athena Query Federation version
<a name="connectors-updating-finding-the-latest-version"></a>

The latest version number of Athena data source connectors corresponds to the latest Athena Query Federation version. In certain cases, the GitHub releases can be slightly newer than what is available on the AWS Serverless Application Repository (SAR).

**To find the latest Athena Query Federation version number**

1. Visit the GitHub URL [https://github.com/awslabs/aws-athena-query-federation/releases/latest](https://github.com/awslabs/aws-athena-query-federation/releases/latest).

1. Note the release number in the main page heading in the following format:

   **Release v** *year*.*week\$1of\$1year*.*iteration\$1of\$1week* **of Athena Query Federation **

   For example, the release number for **Release v2023.8.3 of Athena Query Federation** is 2023.8.3.

## Find and note resource names
<a name="connectors-updating-finding-and-noting-resource-names"></a>

In preparation for the upgrade, you must find and note the following information:

1. The Lambda function name for the connector.

1. The Lambda function environment variables.

1. The Lambda application name, which manages the Lambda function for the connector.

**To find resource names from the Athena console**

1. Open the Athena console at [https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/home).

1. If the console navigation pane is not visible, choose the expansion menu on the left.  
![\[Choose the expansion menu.\]](http://docs.aws.amazon.com/athena/latest/ug/images/nav-pane-expansion.png)

1. In the navigation pane, choose **Data sources and catalogs**.

1. In the **Data source name** column, choose the link to the data source for your connector.

1. In the **Data source details** section, under **Lambda function**, choose the link to your Lambda function.  
![\[Choose the link to your Lambda function.\]](http://docs.aws.amazon.com/athena/latest/ug/images/connectors-updating-1.png)

1. On the **Functions** page, in the **Function name** column, note the function name for your connector.  
![\[Note the function name.\]](http://docs.aws.amazon.com/athena/latest/ug/images/connectors-updating-2.png)

1. Choose the function name link.

1. Under the **Function overview** section, choose the **Configuration** tab.

1. In the pane on the left, choose **Environment variables**.

1. In the **Environment variables** section, make a note of the keys and their corresponding values.

1. Scroll to the top of the page.

1. In the message **This function belongs to an application. Click here to manage it**, choose the **Click here** link.

1. On the **serverlessrepo-*your\$1application\$1name*** page, make a note of your application name without **serverlessrepo**. For example, if the application name is **serverlessrepo-DynamoDbTestApp**, then your application name is **DynamoDbTestApp**.

1. Stay on the Lambda console page for your application, and then continue with the steps in **Finding the version of the connector that you are using**.

## Find the version of the connector that you are using
<a name="connectors-updating-finding-the-version-that-you-are-using"></a>

Follow these steps to find the version of the connector that you are using.

**To find the version of the connector that you are using**

1. On the Lambda console page for your Lambda application, choose the **Deployments** tab.

1. On the **Deployments** tab, expand **SAM template**.

1. Search for **CodeUri**.

1. In the **Key** field under **CodeUri**, find the following string:

   ```
   applications-connector_name-versions-year.week_of_year.iteration_of_week/hash_number
   ```

   The following example shows a string for the CloudWatch connector:

   ```
   applications-AthenaCloudwatchConnector-versions-2021.42.1/15151159...
   ```

1. Record the value for *year*.*week\$1of\$1year*.*iteration\$1of\$1week* (for example, **2021.42.1**). This is the version for your connector.

## Deploy the new version of your connector
<a name="connectors-updating-deploying-the-new-version"></a>

Follow these steps to deploy a new version of your connector.

**To deploy a new version of your connector**

1. Open the Athena console at [https://console.aws.amazon.com/athena/](https://console.aws.amazon.com/athena/home).

1. If the console navigation pane is not visible, choose the expansion menu on the left.  
![\[Choose the expansion menu.\]](http://docs.aws.amazon.com/athena/latest/ug/images/nav-pane-expansion.png)

1. In the navigation pane, choose **Data sources and catalogs**.

1. On the **Data sources and catalogs** page, choose **Create data source**.

1. Choose the data source that you want to upgrade, and then choose **Next**.

1. In the **Connection details** section, choose **Create Lambda function**. This opens the Lambda console where you will be able to deploy your updated application.  
![\[Connector page in the AWS Lambda console.\]](http://docs.aws.amazon.com/athena/latest/ug/images/connectors-updating-3.png)

1. Because you are not actually creating a new data source, you can close the Athena console tab.

1. On the Lambda console page for the connector, perform the following steps:

   1. Ensure that you have removed the **serverlessrepo-** prefix from your application name, and then copy the application name to the **Application name** field.

   1. Copy your Lambda function name to the **AthenaCatalogName** field. Some connectors call this field **LambdaFunctionName**.

   1. Copy the environment variables that you recorded into their corresponding fields.

1. Select the option **I acknowledge that this app creates custom IAM roles and resource policies**, and then choose **Deploy**.

1. To verify that your application has been updated, choose the **Deployments** tab.

   The **Deployment history** section shows that your update is complete.  
![\[Connector update completed.\]](http://docs.aws.amazon.com/athena/latest/ug/images/connectors-updating-4.png)

1. To confirm the new version number, you can expand **SAM template** as before, find **CodeUri**, and check the connector version number in the **Key** field.

You can now use your updated connector to create Athena federated queries.