Use CalledVia context keys for Athena
When a principal makes a request
to AWS, AWS gathers the request information into a request context
that evaluates and authorizes the request. You can use the Condition
element of
a JSON policy to compare keys in the request context with key values that you specify in
your policy. Global condition context keys are condition
keys with an aws:
prefix.
About the aws:CalledVia context key
You can use the aws:CalledVia global condition context key to compare
the services in the policy with the services that made requests on behalf of the IAM
principal (user or role). When a principal makes a request to an AWS service, that
service might use the principal's credentials to make subsequent requests to other
services. The aws:CalledVia
key contains an ordered list of each service in
the chain that made requests on the principal's behalf.
By specifying a service principal name for the aws:CalledVia
context key,
you can make the context key AWS service-specific. For example, you can use the
aws:CalledVia
condition key to limit requests to only those made from
Athena. To use the aws:CalledVia
condition key in a policy with Athena, you
specify the Athena service principal name athena.amazonaws.com
, as in the
following example.
... "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "athena.amazonaws.com" } } ...
You can use the aws:CalledVia
context key to ensure that callers only
have access to a resource (like a Lambda function) if they call the resource from
Athena.
Note
The aws:CalledVia
context key is not compatible with the trusted
identity propagation feature.
Add a CalledVia context key for access to Lambda functions
Athena requires the caller to have lambda:InvokeFunction
permissions in
order to invoke the Lambda function associated with the query. The following statement
specifies that the user can invoke Lambda functions only from Athena.
The following example shows the addition of the previous statement to a policy that allows a user to run and read a federated query. Principals who are allowed to perform these actions can run queries that specify Athena catalogs associated with a federated data source. However, the principal cannot access the associated Lambda function unless the function is invoked through Athena.
For more information about CalledVia
condition keys, see AWS global
condition context keys in the IAM User Guide.