# Use IAM policies to control workgroup access
To control access to workgroups, use resource-level IAM permissions or identity-based IAM policies. Whenever you use IAM policies, make sure that you follow IAM best practices. For more information, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
**Note**
To access trusted identity propagation enabled workgroups, IAM Identity Center users must be assigned to the `IdentityCenterApplicationArn` that is returned by the response of the Athena [GetWorkGroup](https://docs.aws.amazon.com/athena/latest/APIReference/API_GetWorkGroup.html) API action.
The following procedure is specific to Athena.
For IAM-specific information, see the links listed at the end of this section. For information about example JSON workgroup policies, see [Example workgroup policies](example-policies-workgroup.md).
**To use the visual editor in the IAM console to create a workgroup policy**
1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).
1. In the navigation pane on the left, choose **Policies**, and then choose **Create policy**.
1. On the **Visual editor** tab, choose **Choose a service**. Then choose Athena to add to the policy.
1. Choose **Select actions**, and then choose the actions to add to the policy. The visual editor shows the actions available in Athena. For more information, see [Actions, resources, and condition keys for Amazon Athena](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html) in the *Service Authorization Reference*.
1. Choose **add actions** to type a specific action or use wildcards (\$1) to specify multiple actions.
By default, the policy that you are creating allows the actions that you choose. If you chose one or more actions that support resource-level permissions to the `workgroup` resource in Athena, then the editor lists the `workgroup` resource.
1. Choose **Resources** to specify the specific workgroups for your policy. For example JSON workgroup policies, see [Example workgroup policies](example-policies-workgroup.md).
1. Specify the `workgroup` resource as follows:
```
arn:aws:athena:::workgroup/
```
1. Choose **Review policy**, and then type a **Name** and a **Description** (optional) for the policy that you are creating. Review the policy summary to make sure that you granted the intended permissions.
1. Choose **Create policy** to save your new policy.
1. Attach this identity-based policy to a user, a group, or role.
For more information, see the following topics in the *Service Authorization Reference* and *IAM User Guide*:
+ [Actions, resources, and condition keys for Amazon Athena](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html)
+ [Creating policies with the visual editor](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-visual-editor)
+ [Adding and removing IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)
+ [Controlling access to resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_controlling.html#access_controlling-resources)
For example JSON workgroup policies, see [Example workgroup policies](example-policies-workgroup.md).
For a complete list of Amazon Athena actions, see the API action names in the [Amazon Athena API Reference](https://docs.aws.amazon.com/athena/latest/APIReference/).
# Example workgroup policies
This section includes example policies you can use to enable various actions on workgroups. Whenever you use IAM policies, make sure that you follow IAM best practices. For more information, see [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the *IAM User Guide*.
A workgroup is an IAM resource managed by Athena. Therefore, if your workgroup policy uses actions that take `workgroup` as an input, you must specify the workgroup's ARN as follows:
```
"Resource": [arn:aws:athena:::workgroup/]
```
Where `` is the name of your workgroup. For example, for workgroup named `test_workgroup`, specify it as a resource as follows:
```
"Resource": ["arn:aws:athena:us-east-1:123456789012:workgroup/test_workgroup"]
```
For a complete list of Amazon Athena actions, see the API action names in the [Amazon Athena API Reference](https://docs.aws.amazon.com/athena/latest/APIReference/). For more information about IAM policies, see [Creating policies with the visual editor](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-visual-editor) in the *IAM User Guide*. For more information about creating IAM policies for workgroups, see [Use IAM policies to control workgroup access](workgroups-iam-policy.md).
+ [Example policy for full access to all workgroups](#example1-full-access-all-wkgs)
+ [Example policy for full access to a specified workgroup](#example2-full-access-this-wkg)
+ [Example policy for running queries in a specified workgroup](#example3-user-access)
+ [Example policy for running queries in the primary workgroup](#example4-run-in-primary-access)
+ [Example policy for management operations on a specified workgroup](#example5-manage-wkgs-access)
+ [Example policy for listing workgroups](#example6-list-all-wkgs-access)
+ [Example policy for running and stopping queries in a specific workgroup](#example7-run-queries-access)
+ [Example policy for working with named queries in a specific workgroup](#example8-named-queries-access)
+ [Example policy for working with Spark notebooks](#example9-spark-workgroup)
**Example policy for full access to all workgroups**
The following policy allows full access to all workgroup resources that might exist in the account. We recommend that you use this policy for those users in your account that must administer and manage workgroups for all other users.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"athena:*"
],
"Resource": [
"*"
]
}
]
}
```
**Example policy for full access to a specified workgroup**
The following policy allows full access to the single specific workgroup resource, named `workgroupA`. You could use this policy for users with full control over a particular workgroup.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"athena:ListEngineVersions",
"athena:ListWorkGroups",
"athena:ListDataCatalogs",
"athena:ListDatabases",
"athena:GetDatabase",
"athena:ListTableMetadata",
"athena:GetTableMetadata"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"athena:BatchGetQueryExecution",
"athena:GetQueryExecution",
"athena:ListQueryExecutions",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:CreateNamedQuery",
"athena:GetNamedQuery",
"athena:BatchGetNamedQuery",
"athena:ListNamedQueries",
"athena:DeleteNamedQuery",
"athena:CreatePreparedStatement",
"athena:GetPreparedStatement",
"athena:ListPreparedStatements",
"athena:UpdatePreparedStatement",
"athena:DeletePreparedStatement"
],
"Resource": [
"arn:aws:athena:us-east-1:123456789012:workgroup/workgroupA"
]
},
{
"Effect": "Allow",
"Action": [
"athena:DeleteWorkGroup",
"athena:UpdateWorkGroup",
"athena:GetWorkGroup",
"athena:CreateWorkGroup"
],
"Resource": [
"arn:aws:athena:us-east-1:123456789012:workgroup/workgroupA"
]
}
]
}
```
**Example policy for running queries in a specified workgroup**
In the following policy, a user is allowed to run queries in the specified `workgroupA`, and view them. The user is not allowed to perform management tasks for the workgroup itself, such as updating or deleting it. Note that the example policy does not limit users to only this workgroup or deny access to other workgroups.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"athena:ListEngineVersions",
"athena:ListWorkGroups",
"athena:ListDataCatalogs",
"athena:ListDatabases",
"athena:GetDatabase",
"athena:ListTableMetadata",
"athena:GetTableMetadata"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"athena:GetWorkGroup",
"athena:BatchGetQueryExecution",
"athena:GetQueryExecution",
"athena:ListQueryExecutions",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:CreateNamedQuery",
"athena:GetNamedQuery",
"athena:BatchGetNamedQuery",
"athena:ListNamedQueries",
"athena:DeleteNamedQuery",
"athena:CreatePreparedStatement",
"athena:GetPreparedStatement",
"athena:ListPreparedStatements",
"athena:UpdatePreparedStatement",
"athena:DeletePreparedStatement"
],
"Resource": [
"arn:aws:athena:us-east-1:123456789012:workgroup/workgroupA"
]
}
]
}
```
**Example policy for running queries in the primary workgroup**
You can modify the preceding example to allow a particular user to also run queries in the primary workgroup.
We recommend that you add the primary workgroup resource for all users who are otherwise configured to run queries in their designated workgroups. Adding this resource to their workgroup user policies is useful in case their designated workgroup is deleted or is disabled. In this case, they can continue running queries in the primary workgroup.
To allow users in your account to run queries in the primary workgroup, add a line that contains the ARN of the primary workgroup to the resource section of the [Example policy for running queries in a specified workgroup](#example3-user-access), as in the following example.
```
arn:aws:athena:us-east-1:123456789012:workgroup/primary"
```
**Example policy for management operations on a specified workgroup**
In the following policy, a user is allowed to create, delete, obtain details, and update a workgroup `test_workgroup`.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"athena:ListEngineVersions"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"athena:CreateWorkGroup",
"athena:GetWorkGroup",
"athena:DeleteWorkGroup",
"athena:UpdateWorkGroup"
],
"Resource": [
"arn:aws:athena:us-east-1:123456789012:workgroup/test_workgroup"
]
}
]
}
```
**Example policy for listing workgroups**
The following policy allows all users to list all workgroups:
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"athena:ListWorkGroups"
],
"Resource": "*"
}
]
}
```
**Example policy for running and stopping queries in a specific workgroup**
In this policy, a user is allowed to run queries in the workgroup:
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"athena:StartQueryExecution",
"athena:StopQueryExecution"
],
"Resource": [
"arn:aws:athena:us-east-1:123456789012:workgroup/test_workgroup"
]
}
]
}
```
**Example policy for working with named queries in a specific workgroup**
In the following policy, a user has permissions to create, delete, and obtain information about named queries in the specified workgroup:
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"athena:CreateNamedQuery",
"athena:GetNamedQuery",
"athena:DeleteNamedQuery"
],
"Resource": [
"arn:aws:athena:us-east-1:123456789012:workgroup/test_workgroup" ]
}
]
}
```
**Example policy for working with Spark notebooks in Athena**
Use a policy like the following to work with Spark notebooks in Athena.
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowCreatingWorkGroupWithDefaults",
"Action": [
"athena:CreateWorkGroup",
"s3:CreateBucket",
"iam:CreateRole",
"iam:CreatePolicy",
"iam:AttachRolePolicy",
"s3:GetBucketLocation",
"athena:ImportNotebook"
],
"Effect": "Allow",
"Resource": [
"arn:aws:athena:us-east-1:123456789012:workgroup/Demo*",
"arn:aws:s3:::123456789012-us-east-1-athena-results-bucket-*",
"arn:aws:iam::123456789012:role/service-role/AWSAthenaSparkExecutionRole-*",
"arn:aws:iam::123456789012:policy/service-role/AWSAthenaSparkRolePolicy-*"
]
},
{
"Sid": "AllowRunningCalculations",
"Action": [
"athena:ListWorkGroups",
"athena:GetWorkGroup",
"athena:StartSession",
"athena:CreateNotebook",
"athena:ListNotebookMetadata",
"athena:ListNotebookSessions",
"athena:GetSessionStatus",
"athena:GetSession",
"athena:GetNotebookMetadata",
"athena:CreatePresignedNotebookUrl"
],
"Effect": "Allow",
"Resource": "arn:aws:athena:us-east-1:123456789012:workgroup/Demo*"
},
{
"Sid": "AllowListWorkGroupAndEngineVersions",
"Action": [
"athena:ListWorkGroups",
"athena:ListEngineVersions"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
```