From 730599633bbc23c24d762e40ee09af617931d39f Mon Sep 17 00:00:00 2001 From: Momchil Petrov <79105432+Smoothex@users.noreply.github.com> Date: Mon, 23 Jun 2025 12:00:04 +0200 Subject: [PATCH 1/3] replace deprecated APIs in AthenaQueryPolicy --- .../policy_templates.json | 22 ++++++++++++++----- 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/samtranslator/policy_templates_data/policy_templates.json b/samtranslator/policy_templates_data/policy_templates.json index e50f447923..a045c3fedb 100644 --- a/samtranslator/policy_templates_data/policy_templates.json +++ b/samtranslator/policy_templates_data/policy_templates.json @@ -122,13 +122,23 @@ { "Action": [ "athena:ListWorkGroups", - "athena:GetExecutionEngine", + "athena:GetWorkGroup", "athena:GetExecutionEngines", - "athena:GetNamespace", - "athena:GetCatalogs", - "athena:GetNamespaces", - "athena:GetTables", - "athena:GetTable" + "athena:GetDatabase", + "athena:ListDataCatalogs", + "athena:ListDatabases", + "athena:ListTableMetadata", + "athena:GetTableMetadata" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "glue:GetDatabases", + "glue:GetDatabase", + "glue:GetTables", + "glue:GetTable" ], "Effect": "Allow", "Resource": "*" From de033566de2eed5e77d36cbee6f01594e87c5983 Mon Sep 17 00:00:00 2001 From: Momchil Petrov <79105432+Smoothex@users.noreply.github.com> Date: Wed, 10 Sep 2025 10:43:45 +0000 Subject: [PATCH 2/3] introduce AthenaQueryPolicy_v2 --- .../policy_templates.json | 87 ++++++++++++++++++- .../input/all_policy_templates.yaml | 5 ++ .../output/all_policy_templates.json | 84 ++++++++++++++++++ .../output/aws-cn/all_policy_templates.json | 84 ++++++++++++++++++ .../aws-us-gov/all_policy_templates.json | 84 ++++++++++++++++++ 5 files changed, 343 insertions(+), 1 deletion(-) diff --git a/samtranslator/policy_templates_data/policy_templates.json b/samtranslator/policy_templates_data/policy_templates.json index a045c3fedb..40cf6c6fb4 100644 --- a/samtranslator/policy_templates_data/policy_templates.json +++ b/samtranslator/policy_templates_data/policy_templates.json @@ -117,6 +117,60 @@ } }, "AthenaQueryPolicy": { + "Definition": { + "Statement": [ + { + "Action": [ + "athena:ListWorkGroups", + "athena:GetExecutionEngine", + "athena:GetExecutionEngines", + "athena:GetNamespace", + "athena:GetCatalogs", + "athena:GetNamespaces", + "athena:GetTables", + "athena:GetTable" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "athena:StartQueryExecution", + "athena:GetQueryResults", + "athena:DeleteNamedQuery", + "athena:GetNamedQuery", + "athena:ListQueryExecutions", + "athena:StopQueryExecution", + "athena:GetQueryResultsStream", + "athena:ListNamedQueries", + "athena:CreateNamedQuery", + "athena:GetQueryExecution", + "athena:BatchGetNamedQuery", + "athena:BatchGetQueryExecution", + "athena:GetWorkGroup" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": [ + "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}", + { + "workgroupName": { + "Ref": "WorkGroupName" + } + } + ] + } + } + ] + }, + "Description": "Gives permissions to execute Athena queries", + "Parameters": { + "WorkGroupName": { + "Description": "Name of the Athena Workgroup" + } + } + }, + "AthenaQueryPolicy_v2": { "Definition": { "Statement": [ { @@ -141,7 +195,32 @@ "glue:GetTable" ], "Effect": "Allow", - "Resource": "*" + "Resource": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog", + { + "Fn::Sub": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${databaseName}", + { + "databaseName": { + "Ref": "DatabaseName" + } + } + ] + }, + { + "Fn::Sub": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${databaseName}/${tableName}", + { + "databaseName": { + "Ref": "DatabaseName" + }, + "tableName": { + "Ref": "TableName" + } + } + ] + } + ] }, { "Action": [ @@ -177,6 +256,12 @@ "Parameters": { "WorkGroupName": { "Description": "Name of the Athena Workgroup" + }, + "DatabaseName": { + "Description": "Name of the Athena Workgroup" + }, + "TableName": { + "Description": "Name of the Athena Workgroup" } } }, diff --git a/tests/translator/input/all_policy_templates.yaml b/tests/translator/input/all_policy_templates.yaml index ab1f8d596b..d251a89f65 100644 --- a/tests/translator/input/all_policy_templates.yaml +++ b/tests/translator/input/all_policy_templates.yaml @@ -160,6 +160,11 @@ Resources: - AthenaQueryPolicy: WorkGroupName: name + - AthenaQueryPolicy_v2: + WorkGroupName: name + DatabaseName: name + TableName: name + - S3WritePolicy: BucketName: name diff --git a/tests/translator/output/all_policy_templates.json b/tests/translator/output/all_policy_templates.json index c42a0314ad..d470fa6999 100644 --- a/tests/translator/output/all_policy_templates.json +++ b/tests/translator/output/all_policy_templates.json @@ -1751,6 +1751,90 @@ ] }, "PolicyName": "KitchenSinkFunctionRolePolicy64" + }, + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "athena:ListWorkGroups", + "athena:GetWorkGroup", + "athena:GetExecutionEngines", + "athena:GetDatabase", + "athena:ListDataCatalogs", + "athena:ListDatabases", + "athena:ListTableMetadata", + "athena:GetTableMetadata" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "glue:GetDatabases", + "glue:GetDatabase", + "glue:GetTables", + "glue:GetTable" + ], + "Effect": "Allow", + "Resource": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog", + { + "Fn::Sub": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${databaseName}", + { + "databaseName": { + "Ref": "DatabaseName" + } + } + ] + }, + { + "Fn::Sub": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${databaseName}/${tableName}", + { + "databaseName": { + "Ref": "DatabaseName" + }, + "tableName": { + "Ref": "TableName" + } + } + ] + } + ] + }, + { + "Action": [ + "athena:StartQueryExecution", + "athena:GetQueryResults", + "athena:DeleteNamedQuery", + "athena:GetNamedQuery", + "athena:ListQueryExecutions", + "athena:StopQueryExecution", + "athena:GetQueryResultsStream", + "athena:ListNamedQueries", + "athena:CreateNamedQuery", + "athena:GetQueryExecution", + "athena:BatchGetNamedQuery", + "athena:BatchGetQueryExecution", + "athena:GetWorkGroup" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": [ + "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}", + { + "workgroupName": { + "Ref": "WorkGroupName" + } + } + ] + } + } + ] + }, + "PolicyName": "KitchenSinkFunctionRolePolicy65" } ], "Tags": [ diff --git a/tests/translator/output/aws-cn/all_policy_templates.json b/tests/translator/output/aws-cn/all_policy_templates.json index 7a6f70009e..01c24c4559 100644 --- a/tests/translator/output/aws-cn/all_policy_templates.json +++ b/tests/translator/output/aws-cn/all_policy_templates.json @@ -1751,6 +1751,90 @@ ] }, "PolicyName": "KitchenSinkFunctionRolePolicy64" + }, + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "athena:ListWorkGroups", + "athena:GetWorkGroup", + "athena:GetExecutionEngines", + "athena:GetDatabase", + "athena:ListDataCatalogs", + "athena:ListDatabases", + "athena:ListTableMetadata", + "athena:GetTableMetadata" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "glue:GetDatabases", + "glue:GetDatabase", + "glue:GetTables", + "glue:GetTable" + ], + "Effect": "Allow", + "Resource": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog", + { + "Fn::Sub": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${databaseName}", + { + "databaseName": { + "Ref": "DatabaseName" + } + } + ] + }, + { + "Fn::Sub": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${databaseName}/${tableName}", + { + "databaseName": { + "Ref": "DatabaseName" + }, + "tableName": { + "Ref": "TableName" + } + } + ] + } + ] + }, + { + "Action": [ + "athena:StartQueryExecution", + "athena:GetQueryResults", + "athena:DeleteNamedQuery", + "athena:GetNamedQuery", + "athena:ListQueryExecutions", + "athena:StopQueryExecution", + "athena:GetQueryResultsStream", + "athena:ListNamedQueries", + "athena:CreateNamedQuery", + "athena:GetQueryExecution", + "athena:BatchGetNamedQuery", + "athena:BatchGetQueryExecution", + "athena:GetWorkGroup" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": [ + "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}", + { + "workgroupName": { + "Ref": "WorkGroupName" + } + } + ] + } + } + ] + }, + "PolicyName": "KitchenSinkFunctionRolePolicy65" } ], "Tags": [ diff --git a/tests/translator/output/aws-us-gov/all_policy_templates.json b/tests/translator/output/aws-us-gov/all_policy_templates.json index bc6e666d95..971195d79b 100644 --- a/tests/translator/output/aws-us-gov/all_policy_templates.json +++ b/tests/translator/output/aws-us-gov/all_policy_templates.json @@ -1751,6 +1751,90 @@ ] }, "PolicyName": "KitchenSinkFunctionRolePolicy64" + }, + { + "PolicyDocument": { + "Statement": [ + { + "Action": [ + "athena:ListWorkGroups", + "athena:GetWorkGroup", + "athena:GetExecutionEngines", + "athena:GetDatabase", + "athena:ListDataCatalogs", + "athena:ListDatabases", + "athena:ListTableMetadata", + "athena:GetTableMetadata" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Action": [ + "glue:GetDatabases", + "glue:GetDatabase", + "glue:GetTables", + "glue:GetTable" + ], + "Effect": "Allow", + "Resource": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog", + { + "Fn::Sub": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${databaseName}", + { + "databaseName": { + "Ref": "DatabaseName" + } + } + ] + }, + { + "Fn::Sub": [ + "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${databaseName}/${tableName}", + { + "databaseName": { + "Ref": "DatabaseName" + }, + "tableName": { + "Ref": "TableName" + } + } + ] + } + ] + }, + { + "Action": [ + "athena:StartQueryExecution", + "athena:GetQueryResults", + "athena:DeleteNamedQuery", + "athena:GetNamedQuery", + "athena:ListQueryExecutions", + "athena:StopQueryExecution", + "athena:GetQueryResultsStream", + "athena:ListNamedQueries", + "athena:CreateNamedQuery", + "athena:GetQueryExecution", + "athena:BatchGetNamedQuery", + "athena:BatchGetQueryExecution", + "athena:GetWorkGroup" + ], + "Effect": "Allow", + "Resource": { + "Fn::Sub": [ + "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}", + { + "workgroupName": { + "Ref": "WorkGroupName" + } + } + ] + } + } + ] + }, + "PolicyName": "KitchenSinkFunctionRolePolicy65" } ], "Tags": [ From 3216a1b81634100d5bd8625a4362b479989cdfa7 Mon Sep 17 00:00:00 2001 From: Momchil Petrov <79105432+Smoothex@users.noreply.github.com> Date: Mon, 15 Sep 2025 10:46:58 +0200 Subject: [PATCH 3/3] Update descriptions for Glue Database and Table --- samtranslator/policy_templates_data/policy_templates.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/samtranslator/policy_templates_data/policy_templates.json b/samtranslator/policy_templates_data/policy_templates.json index 40cf6c6fb4..ea4e754f33 100644 --- a/samtranslator/policy_templates_data/policy_templates.json +++ b/samtranslator/policy_templates_data/policy_templates.json @@ -258,10 +258,10 @@ "Description": "Name of the Athena Workgroup" }, "DatabaseName": { - "Description": "Name of the Athena Workgroup" + "Description": "Name of the Glue Database" }, "TableName": { - "Description": "Name of the Athena Workgroup" + "Description": "Name of the Glue Table" } } },