Athena Integration

Connecting Athena to Retool

1. Get AWS Credentials

The administrator of your AWS account should have your AWS Access Key and AWS Secret Key stored somewhere safe. If you can no longer find them, you can create a new pair of keys via the AWS console under the My Security Credentials section of the AWS console, which you can access by clicking the dropdown next to your name in the top-right.

AWS Console > My Security Credentials > Access Keys > Create New Access Key

While creating this access key, you will be prompted to attach a policy for this user. You can use the AWS managed policy "AthenaFullAccess", or if you prefer, you can use this template as a starting point.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "This statement is required. You can modify the Resource to restrict which Athena resources Retool will have access to. You can also modify which actions Retool has access to, but we make no guarnatees that your queries will work as expected. More docs here: https://docs.aws.amazon.com/athena/latest/ug/security-iam-athena.html",
            "Effect": "Allow",
            "Action": [
                "athena:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "This statement grants permission to read and write statement metadata to AWS Glue. The permissions here are fairly broad, and it is OK to include the read-only actions. More docs here: https://docs.aws.amazon.com/athena/latest/ug/glue-athena.html",
            "Effect": "Allow",
            "Action": [
                "glue:CreateDatabase",
                "glue:DeleteDatabase",
                "glue:GetDatabase",
                "glue:GetDatabases",
                "glue:UpdateDatabase",
                "glue:CreateTable",
                "glue:DeleteTable",
                "glue:BatchDeleteTable",
                "glue:UpdateTable",
                "glue:GetTable",
                "glue:GetTables",
                "glue:BatchCreatePartition",
                "glue:CreatePartition",
                "glue:DeletePartition",
                "glue:BatchDeletePartition",
                "glue:UpdatePartition",
                "glue:GetPartition",
                "glue:GetPartitions",
                "glue:BatchGetPartition"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "This statement grants permission to write results from Athena to the relevant S3 bucket. You will need to configure the 'Resource' key to be the relevant S3 resource. The '*' at the end of the Resource ARN is required since Athena will write arbitrarily named files to the S3 bucket.",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload",
                "s3:CreateBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name-where-athena-results-are-written-to*"
            ]
        },
        {
            "Sid": "This statement is optional. Retool may use these permissions in the future to display a schema browser, but it is not currently used.",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "This statement is optional. It is required if you would like Athena to receive real time notifications about quer runs. More docs here: https://docs.aws.amazon.com/athena/latest/ug/athena-cloudwatch-events.html",
            "Effect": "Allow",
            "Action": [
                "sns:ListTopics",
                "sns:GetTopicAttributes"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "This statement is optional. It is required if you would like Athena to publish metrics to CloudWatch. More docs here: https://docs.aws.amazon.com/athena/latest/ug/query-metrics-viewing.html",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricAlarm",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DeleteAlarms"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "This statement is optional. It is required if you would like to query data in AWS Lake Formation. More docs here: https://docs.aws.amazon.com/athena/latest/ug/security-athena-lake-formation.html",
            "Effect": "Allow",
            "Action": [
                "lakeformation:GetDataAccess"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

2. Get Athena Details

To connect Retool to Athena, you need to know the Query result location. You can find this via the Athena section of the AWS console, by clicking on Settings.

AWS Console > Athena > Settings

3. Add to Retool

Create a new resource in Retool, and select "Amazon Athena" as the type. Enter your AWS credentials and Athena query result location into the "Athena" datasource form, and press "Save".

Resources > Add > Amazon Athena

4. Create Queries

You can now select your newly-created Athena resource from the Resource dropdown when creating queries in your Retool apps.

You can display the results of Athena queries as with any other query in Retool:

Athena queries are slightly different to normal SQL queries, however — in addition to having a data key, they also have a queryExecution key that contains metadata. This might be useful to keep an eye on since AWS charges you according to the amount of data that's scanned when executing the query.

Updated 19 days ago


Athena Integration


Connecting Athena to Retool

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.