Lumi Docs
  • About Lumi AI
  • Setting Up
    • Quick Start
    • 1. Connect
    • 2. Configure
      • Configuration Tips
      • Add Tables & Fields
      • Add Business Context
      • Advanced Configuration
    • 3. Distribute
  • Using Lumi
    • Getting Started
    • Lumi Use Cases
      • Data Exploration
      • Business Metrics
      • Anomaly Detection
      • Trend Analysis
      • Root Cause Analysis
      • Data Quality
    • Best Practices
      • Prompting Best Practices
      • Boards Best Practices
      • Versioning Best Practices
    • Chat Limitations
    • Knowledge Base Utility
      • Curated Prompts
      • Leveraging Memories
    • Network Configuration
  • Product Features
    • Chat
    • Boards
    • Knowledge Base
      • Overview
      • Connection
      • Tables
        • Custom Fields
      • Model
      • Business Context
      • Memories
      • Users
      • Restoration
    • Organization Settings
      • Organization Profile
      • Tool Integrations
      • Gateway Management
      • Members
    • User Profile
    • Notifications
    • Data Gateway
      • Deployment
      • Configuring for Boot
    • Source System Integrations
      • PostgreSQL
      • Microsoft SQL Server
      • MySQL
      • Databricks
      • BigQuery
      • Snowflake
      • SAP HANA
      • Oracle
      • AWS Athena (Pre-release)
    • Secondary Interfaces
      • Slack
      • Microsoft Teams
    • Release Notes
Powered by GitBook
On this page
  • Supported Connection Methods
  • Supported Limits
  • Available Parameters
  • System Permissions & Configuration
  • Create IAM policy with limited access to your Athena instance
  • Create a Cross-Account IAM Role with the above IAM policy
  • Lock Down Your Athena S3 Buckets with Bucket Policies

Was this helpful?

  1. Product Features
  2. Source System Integrations

AWS Athena (Pre-release)

PreviousOracleNextSecondary Interfaces

Last updated 23 days ago

Was this helpful?

Amazon’s serverless, interactive query service that lets you analyze data directly in Amazon S3 using standard SQL.

Supported Connection Methods

Available methods for connections to the target system from Lumi AI:

Supported Limits

The following are limits that can be configured for the system to moderate access and usage from users in Lumi AI:

Available Parameters

These properties are the essential source system connection properties that all queries are directed towards.

* Required parameters

Note: The Gateway parameter is common to all systems (when supported) and is only available when gateway is the selected connection method.

AWS Region*

AWS Region where Athena and S3 staging bucket resides in.

  • us-east-1

  • us-west-2

  • US-East-1

  • North America

Query Result Location*

The S3 URI (bucket + optional prefix) where Athena writes its query results

  • s3://my-athena-bucket

  • s3://my-athena-bucket/staging

  • /s3/my-athena-bucket

  • my-athena-bucket

Database*

The Athena database name.

👍 Valid Examples

  • analytics

  • default

  • AwsDataCatalog.analytics

  • analytics.products

Role ARN*

The ARN (Amazon Resource Name) of the IAM role that will be assumed by Lumi to run queries against Athena.

👍 Valid Examples

  • arn:aws:iam::123456789012:role/lumi-athena-query-runner

  • 123456789012:role/lumi-athena-query-runner

  • lumi-athena-query-runner

System Permissions & Configuration

You will need to create cross-account IAM role whose trust policy allows Lumi's AWS account to run queries against Athena.

Create IAM policy with limited access to your Athena instance

  1. Navigate to IAM -> Policies -> Create policy.

  2. Select the JSON option and paste the following snippet, replacing your-data-bucket with your-athena-staging-bucket with the name of your S3 Athena data bucket and S3 your staging (query results) bucket, respectively.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAthenaQueries",
      "Effect": "Allow",
      "Action": [
        "athena:StartQueryExecution",
        "athena:GetQueryExecution",
        "athena:GetQueryResults",
        "athena:ListQueryExecutions"
      ],
      "Resource": "*"
    },
    {
      "Sid": "ReadDataBucket",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::your-data-bucket",
        "arn:aws:s3:::your-data-bucket/*"
      ]
    },
    {
      "Sid": "UseStagingBucket",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::your-athena-staging-bucket/*"
    }
  ]
}
  1. Click Next.

  2. Name the policy AthenaQueryPermissions and click Create Policy.

Create a Cross-Account IAM Role with the above IAM policy

  1. Navigate to IAM → Roles → Create role.

  2. Select Custom trust policy option and paste the following snippet, replacing lumi-account-id with Lumi's Account ID and lumi-external-id with Lumi external ID (provided during onboarding).

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::lumi-account-id:role/athena-query-runner"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "lumi-external-id"
        }
      }
    }
  ]
}
  1. Click Next.

  2. In the Permissions policies, search for AthenaQueryPermissions and select it.

  3. Click Next.

  4. Name the role athena-query-runner and click Create Role.

Lock Down Your Athena S3 Buckets with Bucket Policies

Data bucket

  1. Navigate to your S3 Athena data bucket and click on Permissions

  2. Click on Edit button beside Bucket policy and append the following statement to your policy, replacing your-data-bucket with the name of your S3 Athena data bucket and lumi-account-id with Lumi's Account ID

    {
      "Effect":"Allow",
      "Principal": {
        "AWS":"arn:aws:iam::lumi-account-id:role/lumi-athena-query-runner"
      },
      "Action":["s3:ListBucket","s3:GetObject"],
      "Resource":[
        "arn:aws:s3:::your-data-bucket",
        "arn:aws:s3:::your-data-bucket/*"
      ]
    }
  1. Click Save changes

Staging (query results) bucket

  1. Navigate to your S3 Athena staging (query results) and click on Permissions.

  2. Click on Edit button beside Bucket policy and append the following statement to your policy, replacing your-athena-staging-bucket with the name of your S3 Athena staging (query results) bucket and lumi-account-id with Lumi's Account ID.

    {
      "Effect":"Allow",
      "Principal": {
        "AWS":"arn:aws:iam::lumi-account-id:role/lumi-athena-query-runner"
      },
      "Action":["s3:PutObject","s3:GetObject"],
      "Resource":"arn:aws:s3:::your-athena-staging-bucket/*"
    }
  1. Click Save changes

Valid Examples

Invalid Examples

Valid Examples

Invalid Examples

Invalid Examples

Invalid Examples

👍
👎
👍
👎
👎
👎
Network Configuration
Data Gateway