# Control access to data catalogs with IAM policies
<a name="datacatalogs-iam-policy"></a>

To control access to data catalogs, use resource-level IAM permissions or identity-based IAM policies. 

The following procedure is specific to Athena. 

For IAM-specific information, see the links listed at the end of this section. For information about example JSON data catalog policies, see [Data Catalog example policies](datacatalogs-example-policies.md).

**To use the visual editor in the IAM console to create a data catalog policy**

1. Sign in to the AWS Management Console and open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane on the left, choose **Policies**, and then choose **Create policy**.

1. On the **Visual editor** tab, choose **Choose a service**. Then choose Athena to add to the policy.

1. Choose **Select actions**, and then choose the actions to add to the policy. The visual editor shows the actions available in Athena. For more information, see [Actions, resources, and condition keys for Amazon Athena](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html) in the *Service Authorization Reference*.

1. Choose **add actions** to type a specific action or use wildcards (\$1) to specify multiple actions. 

   By default, the policy that you are creating allows the actions that you choose. If you chose one or more actions that support resource-level permissions to the `datacatalog` resource in Athena, then the editor lists the `datacatalog` resource. 

1. Choose **Resources** to specify the specific data catalogs for your policy. For example JSON data catalog policies, see [Data Catalog example policies](datacatalogs-example-policies.md).

1. Specify the `datacatalog` resource as follows:

   ```
   arn:aws:athena:<region>:<user-account>:datacatalog/<datacatalog-name>
   ```

1. Choose **Review policy**, and then type a **Name** and a **Description** (optional) for the policy that you are creating. Review the policy summary to make sure that you granted the intended permissions. 

1. Choose **Create policy** to save your new policy.

1. Attach this identity-based policy to a user, a group, or role and specify the `datacatalog` resources they can access.

For more information, see the following topics in the *Service Authorization Reference* and the *IAM User Guide*:
+ [Actions, resources, and condition keys for Amazon Athena](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonathena.html)
+ [Creating policies with the visual editor](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-visual-editor)
+ [Adding and removing IAM policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)
+ [Controlling access to resources](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_controlling.html#access_controlling-resources)

For example JSON data catalog policies, see [Data Catalog example policies](datacatalogs-example-policies.md).

For information about AWS Glue permissions and AWS Glue crawler permissions, see [Setting up IAM permissions for AWS Glue](https://docs.aws.amazon.com/glue/latest/dg/getting-started-access.html) and [Crawler prerequisites](https://docs.aws.amazon.com/glue/latest/dg/crawler-prereqs.html) in the *AWS Glue Developer Guide*.

For a complete list of Amazon Athena actions, see the API action names in the [Amazon Athena API Reference](https://docs.aws.amazon.com/athena/latest/APIReference/). 

# Data Catalog example policies
<a name="datacatalogs-example-policies"></a>

This section includes example policies you can use to enable various actions on data catalogs.

A data catalog is an IAM resource managed by Athena. Therefore, if your data catalog policy uses actions that take `datacatalog` as an input, you must specify the data catalog's ARN as follows:

```
"Resource": [arn:aws:athena:<region>:<user-account>:datacatalog/<datacatalog-name>]
```

The `<datacatalog-name>` is the name of your data catalog. For example, for a data catalog named `test_datacatalog`, specify it as a resource as follows:

```
"Resource": ["arn:aws:athena:us-east-1:123456789012:datacatalog/test_datacatalog"]
```

For a complete list of Amazon Athena actions, see the API action names in the [Amazon Athena API Reference](https://docs.aws.amazon.com/athena/latest/APIReference/). For more information about IAM policies, see [Creating policies with the visual editor](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-visual-editor) in the *IAM User Guide*. For more information about creating IAM policies for workgroups, see [Control access to data catalogs with IAM policies](datacatalogs-iam-policy.md).
+ [Example Policy for Full Access to All Data Catalogs](#datacatalog-policy-full-access-to-all-data-catalogs)
+ [Example Policy for Full Access to a Specified Data Catalog](#datacatalog-policy-full-access-to-a-specified-catalog)
+ [Example Policy for Querying a Specified Data Catalog](#datacatalog-policy-querying-a-specified-data-catalog)
+ [Example Policy for Management Operations on a Specified Data Catalog](#datacatalog-policy-management-operations-on-a-specified-catalog)
+ [Example Policy for Listing Data Catalogs](#datacatalog-policy-listing-data-catalogs)
+ [Example Policy for Metadata Operations on Data Catalogs](#datacatalog-policy-metadata-operations)

**Example policy for full access to all data catalogs**  
The following policy allows full access to all data catalog resources that might exist in the account. We recommend that you use this policy for those users in your account that must administer and manage data catalogs for all other users.    
****  

```
{
   "Version":"2012-10-17",		 	 	 
   "Statement":[
      {
         "Effect":"Allow",
         "Action":[
            "athena:*"
         ],
         "Resource":[
            "*"
         ]
      }
   ]
}
```

**Example policy for full access to a specified Data Catalog**  
The following policy allows full access to the single specific data catalog resource, named `datacatalogA`. You could use this policy for users with full control over a particular data catalog.    
****  

```
{ "Version":"2012-10-17",		 	 	  "Statement":[ { "Effect":"Allow", "Action":[
   "athena:ListDataCatalogs", "athena:ListWorkGroups", "athena:GetDatabase", "athena:ListDatabases",
   "athena:ListTableMetadata", "athena:GetTableMetadata" ], "Resource":"*" }, { "Effect":"Allow",
   "Action":[ "athena:StartQueryExecution", "athena:GetQueryResults", "athena:DeleteNamedQuery",
   "athena:GetNamedQuery", "athena:ListQueryExecutions", "athena:StopQueryExecution",
   "athena:GetQueryResultsStream", "athena:ListNamedQueries", "athena:CreateNamedQuery",
   "athena:GetQueryExecution", "athena:BatchGetNamedQuery", "athena:BatchGetQueryExecution",
   "athena:DeleteWorkGroup", "athena:UpdateWorkGroup", "athena:GetWorkGroup",
   "athena:CreateWorkGroup" ], "Resource":[
      "arn:aws:athena:us-east-1:123456789012:workgroup/*"
   ] }, { "Effect":"Allow", "Action":[ "athena:CreateDataCatalog", "athena:DeleteDataCatalog",
   "athena:GetDataCatalog", "athena:GetDatabase", "athena:GetTableMetadata", "athena:ListDatabases",
   "athena:ListTableMetadata", "athena:UpdateDataCatalog" ],
      "Resource":"arn:aws:athena:us-east-1:123456789012:datacatalog/datacatalogA"
   } ] }
```

**Example policy for querying a specified Data Catalog**  
In the following policy, a user is allowed to run queries on the specified `datacatalogA`. The user is not allowed to perform management tasks for the data catalog itself, such as updating or deleting it.     
****  

```
{ "Version":"2012-10-17",		 	 	  "Statement":[ { "Effect":"Allow", "Action":[
   "athena:StartQueryExecution" ], "Resource":[
      "arn:aws:athena:us-east-1:123456789012:workgroup/*"
   ] }, { "Effect":"Allow", "Action":[ "athena:GetDataCatalog" ], "Resource":[
      "arn:aws:athena:us-east-1:123456789012:datacatalog/datacatalogA"
   ] } ] }
```

**Example policy for management operations on a specified Data Catalog**  
In the following policy, a user is allowed to create, delete, obtain details, and update a data catalog `datacatalogA`.     
****  

```
{ "Version":"2012-10-17",		 	 	  "Statement": [ { "Effect": "Allow", "Action": [
    "athena:CreateDataCatalog", "athena:GetDataCatalog", "athena:DeleteDataCatalog",
    "athena:UpdateDataCatalog" ], "Resource": [
        "arn:aws:athena:us-east-1:123456789012:datacatalog/datacatalogA"
    ] } ] }
```

**Example policy for listing data catalogs**  
The following policy allows all users to list all data catalogs:    
****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "athena:ListDataCatalogs"
            ],
            "Resource": "*"
        }
    ]
}
```

**Example policy for metadata operations on data catalogs**  
The following policy allows metadata operations on data catalogs:    
****  

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "athena:GetDatabase",
                "athena:GetTableMetadata",
                "athena:ListDatabases",
                "athena:ListTableMetadata"
            ],
            "Resource": "*"
        }
    ]
}
```