Introduce AthenaQueryPolicy_v2

Smoothex · Smoothex · commit e9c80b8a975f · 2026-02-12T12:35:51.000+01:00
diff --git a/samtranslator/policy_templates_data/policy_templates.json b/samtranslator/policy_templates_data/policy_templates.json
@@ -170,6 +170,101 @@
         }
       }
     },
+    "AthenaQueryPolicy_v2": {
+      "Definition": {
+        "Statement": [
+          {
+            "Action": [
+              "athena:ListWorkGroups",
+              "athena:GetWorkGroup",
+              "athena:GetExecutionEngines",
+              "athena:GetDatabase",
+              "athena:ListDataCatalogs",
+              "athena:ListDatabases",
+              "athena:ListTableMetadata",
+              "athena:GetTableMetadata"
+            ],
+            "Effect": "Allow",
+            "Resource": "*"
+          },
+          {
+            "Action": [
+              "glue:GetDatabases",
+              "glue:GetDatabase",
+              "glue:GetTables",
+              "glue:GetTable"
+            ],
+            "Effect": "Allow",
+            "Resource": [
+              "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog",
+              {
+                "Fn::Sub": [
+                  "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${databaseName}",
+                  {
+                    "databaseName": {
+                      "Ref": "DatabaseName"
+                    }
+                  }
+                ]
+              },
+              {
+                "Fn::Sub": [
+                  "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${databaseName}/${tableName}",
+                  {
+                    "databaseName": {
+                      "Ref": "DatabaseName"
+                    },
+                    "tableName": {
+                      "Ref": "TableName"
+                    }
+                  }
+                ]
+              }
+            ]
+          },
+          {
+            "Action": [
+              "athena:StartQueryExecution",
+              "athena:GetQueryResults",
+              "athena:DeleteNamedQuery",
+              "athena:GetNamedQuery",
+              "athena:ListQueryExecutions",
+              "athena:StopQueryExecution",
+              "athena:GetQueryResultsStream",
+              "athena:ListNamedQueries",
+              "athena:CreateNamedQuery",
+              "athena:GetQueryExecution",
+              "athena:BatchGetNamedQuery",
+              "athena:BatchGetQueryExecution",
+              "athena:GetWorkGroup"
+            ],
+            "Effect": "Allow",
+            "Resource": {
+              "Fn::Sub": [
+                "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}",
+                {
+                  "workgroupName": {
+                    "Ref": "WorkGroupName"
+                  }
+                }
+              ]
+            }
+          }
+        ]
+      },
+      "Description": "Gives permissions to execute Athena queries",
+      "Parameters": {
+        "DatabaseName": {
+          "Description": "Name of the Glue Database"
+        },
+        "TableName": {
+          "Description": "Name of the Glue Table"
+        },
+        "WorkGroupName": {
+          "Description": "Name of the Athena Workgroup"
+        }
+      }
+    },
     "CloudFormationDescribeStacksPolicy": {
       "Definition": {
         "Statement": [
diff --git a/tests/translator/input/all_policy_templates.yaml b/tests/translator/input/all_policy_templates.yaml
@@ -160,6 +160,11 @@ Resources:
       - AthenaQueryPolicy:
           WorkGroupName: name
 
+      - AthenaQueryPolicy_v2:
+          WorkGroupName: name
+          DatabaseName: name
+          TableName: name
+
       - S3WritePolicy:
           BucketName: name
 
diff --git a/tests/translator/output/all_policy_templates.json b/tests/translator/output/all_policy_templates.json
@@ -1751,6 +1751,90 @@
               ]
             },
             "PolicyName": "KitchenSinkFunctionRolePolicy64"
+          },
+          {
+            "PolicyDocument": {
+              "Statement": [
+                {
+                  "Action": [
+                    "athena:ListWorkGroups",
+                    "athena:GetWorkGroup",
+                    "athena:GetExecutionEngines",
+                    "athena:GetDatabase",
+                    "athena:ListDataCatalogs",
+                    "athena:ListDatabases",
+                    "athena:ListTableMetadata",
+                    "athena:GetTableMetadata"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": "*"
+                },
+                {
+                  "Action": [
+                    "glue:GetDatabases",
+                    "glue:GetDatabase",
+                    "glue:GetTables",
+                    "glue:GetTable"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": [
+                    "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog",
+                    {
+                      "Fn::Sub": [
+                        "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${databaseName}",
+                        {
+                          "databaseName": {
+                            "Ref": "DatabaseName"
+                          }
+                        }
+                      ]
+                    },
+                    {
+                      "Fn::Sub": [
+                        "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${databaseName}/${tableName}",
+                        {
+                          "databaseName": {
+                            "Ref": "DatabaseName"
+                          },
+                          "tableName": {
+                            "Ref": "TableName"
+                          }
+                        }
+                      ]
+                    }
+                  ]
+                },
+                {
+                  "Action": [
+                    "athena:StartQueryExecution",
+                    "athena:GetQueryResults",
+                    "athena:DeleteNamedQuery",
+                    "athena:GetNamedQuery",
+                    "athena:ListQueryExecutions",
+                    "athena:StopQueryExecution",
+                    "athena:GetQueryResultsStream",
+                    "athena:ListNamedQueries",
+                    "athena:CreateNamedQuery",
+                    "athena:GetQueryExecution",
+                    "athena:BatchGetNamedQuery",
+                    "athena:BatchGetQueryExecution",
+                    "athena:GetWorkGroup"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": {
+                    "Fn::Sub": [
+                      "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}",
+                      {
+                        "workgroupName": {
+                          "Ref": "WorkGroupName"
+                        }
+                      }
+                    ]
+                  }
+                }
+              ]
+            },
+            "PolicyName": "KitchenSinkFunctionRolePolicy65"
           }
         ],
         "Tags": [
diff --git a/tests/translator/output/aws-cn/all_policy_templates.json b/tests/translator/output/aws-cn/all_policy_templates.json
@@ -1751,6 +1751,90 @@
               ]
             },
             "PolicyName": "KitchenSinkFunctionRolePolicy64"
+          },
+          {
+            "PolicyDocument": {
+              "Statement": [
+                {
+                  "Action": [
+                    "athena:ListWorkGroups",
+                    "athena:GetWorkGroup",
+                    "athena:GetExecutionEngines",
+                    "athena:GetDatabase",
+                    "athena:ListDataCatalogs",
+                    "athena:ListDatabases",
+                    "athena:ListTableMetadata",
+                    "athena:GetTableMetadata"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": "*"
+                },
+                {
+                  "Action": [
+                    "glue:GetDatabases",
+                    "glue:GetDatabase",
+                    "glue:GetTables",
+                    "glue:GetTable"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": [
+                    "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog",
+                    {
+                      "Fn::Sub": [
+                        "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${databaseName}",
+                        {
+                          "databaseName": {
+                            "Ref": "DatabaseName"
+                          }
+                        }
+                      ]
+                    },
+                    {
+                      "Fn::Sub": [
+                        "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${databaseName}/${tableName}",
+                        {
+                          "databaseName": {
+                            "Ref": "DatabaseName"
+                          },
+                          "tableName": {
+                            "Ref": "TableName"
+                          }
+                        }
+                      ]
+                    }
+                  ]
+                },
+                {
+                  "Action": [
+                    "athena:StartQueryExecution",
+                    "athena:GetQueryResults",
+                    "athena:DeleteNamedQuery",
+                    "athena:GetNamedQuery",
+                    "athena:ListQueryExecutions",
+                    "athena:StopQueryExecution",
+                    "athena:GetQueryResultsStream",
+                    "athena:ListNamedQueries",
+                    "athena:CreateNamedQuery",
+                    "athena:GetQueryExecution",
+                    "athena:BatchGetNamedQuery",
+                    "athena:BatchGetQueryExecution",
+                    "athena:GetWorkGroup"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": {
+                    "Fn::Sub": [
+                      "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}",
+                      {
+                        "workgroupName": {
+                          "Ref": "WorkGroupName"
+                        }
+                      }
+                    ]
+                  }
+                }
+              ]
+            },
+            "PolicyName": "KitchenSinkFunctionRolePolicy65"
           }
         ],
         "Tags": [
diff --git a/tests/translator/output/aws-us-gov/all_policy_templates.json b/tests/translator/output/aws-us-gov/all_policy_templates.json
@@ -1751,6 +1751,90 @@
               ]
             },
             "PolicyName": "KitchenSinkFunctionRolePolicy64"
+          },
+          {
+            "PolicyDocument": {
+              "Statement": [
+                {
+                  "Action": [
+                    "athena:ListWorkGroups",
+                    "athena:GetWorkGroup",
+                    "athena:GetExecutionEngines",
+                    "athena:GetDatabase",
+                    "athena:ListDataCatalogs",
+                    "athena:ListDatabases",
+                    "athena:ListTableMetadata",
+                    "athena:GetTableMetadata"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": "*"
+                },
+                {
+                  "Action": [
+                    "glue:GetDatabases",
+                    "glue:GetDatabase",
+                    "glue:GetTables",
+                    "glue:GetTable"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": [
+                    "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:catalog",
+                    {
+                      "Fn::Sub": [
+                        "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:database/${databaseName}",
+                        {
+                          "databaseName": {
+                            "Ref": "DatabaseName"
+                          }
+                        }
+                      ]
+                    },
+                    {
+                      "Fn::Sub": [
+                        "arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:table/${databaseName}/${tableName}",
+                        {
+                          "databaseName": {
+                            "Ref": "DatabaseName"
+                          },
+                          "tableName": {
+                            "Ref": "TableName"
+                          }
+                        }
+                      ]
+                    }
+                  ]
+                },
+                {
+                  "Action": [
+                    "athena:StartQueryExecution",
+                    "athena:GetQueryResults",
+                    "athena:DeleteNamedQuery",
+                    "athena:GetNamedQuery",
+                    "athena:ListQueryExecutions",
+                    "athena:StopQueryExecution",
+                    "athena:GetQueryResultsStream",
+                    "athena:ListNamedQueries",
+                    "athena:CreateNamedQuery",
+                    "athena:GetQueryExecution",
+                    "athena:BatchGetNamedQuery",
+                    "athena:BatchGetQueryExecution",
+                    "athena:GetWorkGroup"
+                  ],
+                  "Effect": "Allow",
+                  "Resource": {
+                    "Fn::Sub": [
+                      "arn:${AWS::Partition}:athena:${AWS::Region}:${AWS::AccountId}:workgroup/${workgroupName}",
+                      {
+                        "workgroupName": {
+                          "Ref": "WorkGroupName"
+                        }
+                      }
+                    ]
+                  }
+                }
+              ]
+            },
+            "PolicyName": "KitchenSinkFunctionRolePolicy65"
           }
         ],
         "Tags": [
