docs: add IAM role authentication for Athena warehouse connections (#402)

notgiorgi · web-flow · commit 3fc72355a3f3 · 2026-02-12T12:01:36.000+04:00
diff --git a/get-started/setup-lightdash/connect-project.mdx b/get-started/setup-lightdash/connect-project.mdx
@@ -739,7 +739,11 @@ Your AWS access key ID for authentication. This should belong to an IAM user wit
 Your AWS secret access key for authentication.
 
 <Info>
-  We recommend creating a dedicated IAM user for Lightdash with minimal permissions:
+  Self-hosted instances can use IAM role authentication (e.g. ECS task role, EC2 instance profile) instead of access keys. See the [`ATHENA_WAREHOUSE_IAM_ROLE_AUTH`](/self-host/customize-deployment/environment-variables#athena) environment variable.
+</Info>
+
+<Info>
+  We recommend creating a dedicated IAM user or role for Lightdash with minimal permissions:
   - `AmazonAthenaFullAccess` (or a more restrictive custom policy)
   - S3 read/write access to your staging and data directories
 </Info>
diff --git a/self-host/customize-deployment/environment-variables.mdx b/self-host/customize-deployment/environment-variables.mdx
@@ -54,6 +54,12 @@ This is a reference to all environment variables that can be used to configure a
 
 Lightdash also accepts all [standard postgres environment variables](https://www.postgresql.org/docs/9.3/libpq-envars.html)
 
+## Athena
+
+| Variable                            | Description                                                                                                                                                                                     |
+| :---------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `ATHENA_WAREHOUSE_IAM_ROLE_AUTH`    | Set to `true` to enable IAM role authentication for Athena warehouse connections. When enabled, users can choose between Access Keys and IAM Role auth in the connection form. IAM Role auth uses the AWS default credential chain (e.g. ECS task role, EC2 instance profile) instead of explicit access keys. Default: `false`. |
+
 ## Snowflake
 
 | Variable                                | Description                                                                                                                                                                                                     |
