Connect AWS Athena

Prerequisites

You have an IAM user dedicated for Skoot Athena access.
You have an Athena workgroup configured for Skoot queries.
You have read access to source data and metadata (Glue/Athena catalog + databases + tables).
You have an S3 query results location configured through your Athena workgroup.

Step 1 - Create/Use a Dedicated IAM User

Use a dedicated IAM user for Skoot. Avoid shared admin credentials.

Step 2 - Attach Athena Access Policy

Create an IAM policy and attach it to the Skoot user from Step 1. The policy must allow:

Athena query actions in your workgroup
Glue metadata read access for schema discovery
S3 read access for underlying table data
S3 read/write access for the Athena query results bucket

Skoot discovers schemas through the AWS Glue Data Catalog. Pick one scope below, customize the placeholders, then attach the matching policy.

Choose a Glue access scope

Scope A — All Glue databases (broadest)
- Easiest setup; Skoot can discover every database and table the principal can read.
Scope B — Selected Glue databases (recommended)
- Restrict metadata and underlying S3 access to the databases you name in the policy.
- Best balance of least privilege and reliable schema discovery.

Customize placeholders

Replace these values in whichever policy you use:

Placeholder	Replace with
`123456789012`	Your 12-digit AWS account ID (every occurrence)
`ap-south-1`	Your AWS Region
`skoot`	Your Athena workgroup name
`skoot-athena-results`	Your Athena query results bucket
`skoot-data-demo`	S3 bucket(s) that hold underlying table data
`entertainment`	A Glue database name (Scope B only; one `database/` and `table/` ARN pair per database)

Scope A: All Glue databases

Use this when Skoot should discover every Glue database and table in the account (within the S3 buckets you list).


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SkootAthenaWorkgroupQuery",
      "Effect": "Allow",
      "Action": [
        "athena:StartQueryExecution",
        "athena:GetQueryExecution",
        "athena:GetQueryResults",
        "athena:StopQueryExecution",
        "athena:GetWorkGroup"
      ],
      "Resource": "arn:aws:athena:ap-south-1:123456789012:workgroup/skoot"
    },
    {
      "Sid": "SkootAthenaListWorkgroups",
      "Effect": "Allow",
      "Action": "athena:ListWorkGroups",
      "Resource": "*"
    },
    {
      "Sid": "SkootAthenaResultsS3",
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::skoot-athena-results",
        "arn:aws:s3:::skoot-athena-results/*"
      ]
    },
    {
      "Sid": "SkootGlueMetadataAllDatabases",
      "Effect": "Allow",
      "Action": [
        "glue:GetDatabases",
        "glue:GetDatabase",
        "glue:GetTables",
        "glue:GetTable",
        "glue:GetPartitions"
      ],
      "Resource": "*"
    },
    {
      "Sid": "SkootUnderlyingDataS3",
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::skoot-data-demo",
        "arn:aws:s3:::skoot-data-demo/*"
      ]
    }
  ]
}

Add an SkootUnderlyingDataS3 statement (or extra Resource entries) for each S3 bucket that backs your Athena tables.

Scope B: Selected Glue databases

Use this when Skoot should only access specific Glue databases and their underlying data. The example below allows one database (entertainment); add more database/ and table/ ARNs for each additional database you want Skoot to use.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SkootAthenaWorkgroupQuery",
      "Effect": "Allow",
      "Action": [
        "athena:StartQueryExecution",
        "athena:GetQueryExecution",
        "athena:GetQueryResults",
        "athena:StopQueryExecution",
        "athena:GetWorkGroup"
      ],
      "Resource": "arn:aws:athena:ap-south-1:123456789012:workgroup/skoot"
    },
    {
      "Sid": "SkootAthenaListWorkgroups",
      "Effect": "Allow",
      "Action": "athena:ListWorkGroups",
      "Resource": "*"
    },
    {
      "Sid": "SkootAthenaResultsS3",
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::skoot-athena-results",
        "arn:aws:s3:::skoot-athena-results/*"
      ]
    },
    {
      "Sid": "SkootGlueMetadataSelectedDatabases",
      "Effect": "Allow",
      "Action": [
        "glue:GetDatabases",
        "glue:GetDatabase",
        "glue:GetTables",
        "glue:GetTable",
        "glue:GetPartitions"
      ],
      "Resource": [
        "arn:aws:glue:ap-south-1:123456789012:catalog",
        "arn:aws:glue:ap-south-1:123456789012:database/entertainment",
        "arn:aws:glue:ap-south-1:123456789012:table/entertainment/*"
      ]
    },
    {
      "Sid": "SkootUnderlyingDataS3",
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::skoot-data-demo",
        "arn:aws:s3:::skoot-data-demo/*"
      ]
    }
  ]
}

For each additional allowed database, add matching database/<name> and table/<name>/* Glue ARNs and the S3 buckets that back those tables.

Step 3 - Create Access Key

Create an access key for that IAM user and store it securely.

You will use:

Access Key ID
Secret Access Key

Step 4 - Optional: IP Whitelisting

If your environment enforces network allowlists, allowlist Skoot public egress IP from Data Sources .

Connect in Skoot App

After Athena setup is complete:

Click AWS Athena in Available Data Sources section AWS Athena Connection .
Fill these fields exactly:
- Connection Name
- AWS Region
- Access Key ID
- Secret Access Key
- Workgroup
- Catalog
- Query Timeout (ms) (minimum 1000)
Save the connection.
Confirm status is Connected.