Connect to Athena
You will connect Elementary Cloud to Athena for syncing the Elementary schema (created by the Elementary dbt package).
Create a user for Elementary cloud
On your dbt project, run:
This command will generate a query to create a user with the necessary permissions. Run this query on your data warehouse with admin permissions to create the user.
Permissions and security
Elementary cloud doesn't require read permissions to your tables and schemas, but only the following:
- Read-only access to the elementary schema.
- Access to read metadata in information schema and query history, related to the tables in your dbt project.
It is recommended to create a user using the instructions specified above to avoid granting excess privileges. For more details, refer to security and privacy.
AWS Setup
1. Create Required IAM Policy
First, you'll need to create an IAM policy with the following permissions:
- AthenaPermissions: Allows executing and retrieving query results from Athena
- GluePermissions: Enables reading metadata about databases and tables
- S3AccessForStagingBuckets: Provides full access to store Athena query results
- S3AccessForElementarySchema: Grants read-only access to your elementary schema
Here is an example of a JSON policy:
2. Choose Authentication Method
Elementary supports two authentication methods for connecting to Athena:
Option 1: AWS Role Authentication (Recommended)
This is the recommended approach as it provides better security and follows AWS best practices. Learn more about AWS IAM roles.
-
Create an IAM Role:
- Go to AWS IAM Console
- Create a new role
- Select "Another AWS account" as the trusted entity
- Enter Elementary's AWS account ID:
743289191656
- (Optional but recommended) Enable "Require external ID" and set a value
- Attach the policy created in step 1
-
Note down the following information:
- Role ARN
- External ID (if you enabled it) Learn more about external IDs.
Option 2: Access Key Authentication
This method is less secure as it requires permanent credentials. We recommend using AWS Role authentication instead.
-
Create an IAM User:
- Go to AWS IAM Console
- Create a new user, that will be used by elementary to query athena
- Enable programmatic access
- Attach the policy created in step 1
-
Note down the following information:
- AWS Access Key ID of the new elementary athena user
- AWS Secret Access Key of the new elementary athena user
Elementary Configuration
Connection Settings
Regardless of the authentication method you choose, you'll need to provide:
- Region: The AWS region where your Athena instance is located
- Database: The name of the database where your Elementary schema exist.
- Schema: The name of your Elementary schema. Usually [schema name]_elementary
- S3 Staging Directory: The S3 path where Athena query results will be stored
- Workgroup: (Optional) Your Athena workgroup name
Authentication Details
Based on your chosen authentication method:
If using AWS Role Authentication:
- Select "AWS Role" as the authentication method
- Enter your role ARN
- Enter your external ID (if you enabled it)
If using Access Key Authentication:
- Select "Access Key" as the authentication method
- Enter your AWS Access Key ID
- Enter your AWS Secret Access Key
Need help with onboarding?
We can provide support on Slack or hop on an onboarding call.