The following represents a configuration of minimal IAM permissions needed to support the Salesforce Connect adapter for Amazon Athena. Specifically, this example uses a separate (dedicated) workgroup for Salesforce Connect to use with Athena, as well as specific S3 buckets containing the relevant source data.
This limits access to business data while providing enough access to metadata to make configuration easier for administrators. Note the following items in ALL_CAPS
that will need to be replaced in your configuration:
ACCOUNT_ID
: ID of the AWS Account containing all the above resources (e.g. 467032906895)AWS_REGION
: Geographical region containing the S3 bucket used by the workgroup (e.g. us-east-1)BUCKET_1_NAME
: name of the S3 bucket used to house the source dataBUCKET_N_NAME
: included for instructional purposes in case Athena reads from multiple bucketsRESULTS_BUCKET_NAME
: name of the S3 bucket used by