Skip to content

docs: add IAM role authentication for Athena warehouse connections #402

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
notgiorgi merged 1 commit into from
Feb 12, 2026
+11 −1
Merged

docs: add IAM role authentication for Athena warehouse connections #402

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion get-started/setup-lightdash/connect-project.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -739,7 +739,11 @@ Your AWS access key ID for authentication. This should belong to an IAM user wit
Your AWS secret access key for authentication.

<Info>
We recommend creating a dedicated IAM user for Lightdash with minimal permissions:
Self-hosted instances can use IAM role authentication (e.g. ECS task role, EC2 instance profile) instead of access keys. See the [`ATHENA_WAREHOUSE_IAM_ROLE_AUTH`](/self-host/customize-deployment/environment-variables#athena) environment variable.
</Info>

<Info>
We recommend creating a dedicated IAM user or role for Lightdash with minimal permissions:
- `AmazonAthenaFullAccess` (or a more restrictive custom policy)
- S3 read/write access to your staging and data directories
</Info>
Expand Down
6 changes: 6 additions & 0 deletions self-host/customize-deployment/environment-variables.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,12 @@ This is a reference to all environment variables that can be used to configure a

Lightdash also accepts all [standard postgres environment variables](https://www.postgresql.org/docs/9.3/libpq-envars.html)

## Athena

| Variable | Description |
| :---------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `ATHENA_WAREHOUSE_IAM_ROLE_AUTH` | Set to `true` to enable IAM role authentication for Athena warehouse connections. When enabled, users can choose between Access Keys and IAM Role auth in the connection form. IAM Role auth uses the AWS default credential chain (e.g. ECS task role, EC2 instance profile) instead of explicit access keys. Default: `false`. |

## Snowflake

| Variable | Description |
Expand Down