Policy User
Policy user for protect and unprotect operations can be provided from either Lambda environment variable or federated identity.
POLICY_USER Environment Variable in the Athena Protect Lambda
The Lambda environment variable POLICY_USER, may be set with a default user in the security policy or as a service user.
Federated Identity
When the request contains the federated identity, the policy user maybe the IAM ARN of the user running the SQL query. For example:
User | arn:aws:iam::123456789012:user/juliet.snow |
Role | arn:aws:sts::123456789012:assumed-role/TestSaml |
Note
The Federated Identity is not always provided to the Protect Lambda. AWS is working on adding the Federated Identity to more cases. As a result, the expect user may change after Athena workgroup updates.Note
See Configuring Regular Expression to Extract Policy Username to learn how to extract username from IAM ARNTo control which Policy User is used, Athena Protect Lambda has the Environment Variable: POLICY_USER_CONFIG.
Value | description |
|---|---|
0 | (Default) The Federated Identity is used when provided by Amazon Athena, if the Federated Identity is not provided, the user defaults to the POLICY_USER. |
1 | The Federated Identity will only be used. If The Federated Identity is not provided the Athena Protect Lambda will fail the query. |
2 | The POLICY_USER will always be used, regardless if the Federated Identity is provided or not. POLICY_USER is required. If it is empty or missing the Protect Lambda will fail the query. NoteThe USERNAME_REGEX Lambda configuration described in Configuring Regular Expression to Extract Policy Username will not have effect when the POLICY_USER=2. |
Feedback
Was this page helpful?