Have AWS Athena assume role for accessing external S3 bucket

Question

I set up an Athena table via Glue in my account that is supposed to query the data in my friends account. My friend created an IAM role I can assume that has permission to access the S3 data.

My Athena queries error out complaining that they don't have permission to access the S3 bucket. Is there a way to make Athena assume the role so it can get to the S3 bucket?

Answer 1

Cross Account enablement is not required.

Hosting Account (Account A)

1. Have the Athena Policy/ Resource Level Policy

2. Create a Role (to be assumed by another account B) and attach the Policy created in step 1

3. Update the Trusted Entities: Include the IAM User/ Role in another account B

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": [
              "arn:aws:iam::Account B:user/User A"
            ]
          },
          "Action": "sts:AssumeRole",
          "Condition": {}
        }
      ]
    }
   

Consuming Application

1. Create a Policy

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": "sts:AssumeRole",
               "Resource": [
                   "arn:aws:iam::Account A:role/Role Created in Step 2 as Hosting Account A"
               ]
           }
       ]
   }
   

2. Attach the Policy to the User

Answer 2

Assuming roles through Athena is currently not possible. AWS does suggest using bucket policies for accessing s3 buckets across accounts.

The only currently possible setup is described over here in the "Cross-account Permissions" section.