Cross-account access to AWS Glue Data Catalog via Athena

Question

Is it possible to directly access AWS Glue Data Catalog of Account B via the Athena interface of Account A?

Answer 1

I was just trying to resolve this same issue in my own setup, but then stumbled across this bummer (the last bullet under Cross-Account Access Limitations on this page):

Cross-account access to the Data Catalog is not supported when using an AWS Glue crawler, Amazon Athena, or Amazon Redshift.

So it sounds like even with the cross-account access that is possible today, they won't naturally replicate through those services (including the asked about Athena).

That said, I was able to set up cross-account access to the AWS Glue Data Catalog in a way that allowed me to use Account A to pull all relevant info about Data Catalog objects from Account B. I can update my answer to incorporate how far I got, if you want, but a hacky method that might solve this question would be to set up the cross-account access that is possible today then run a recurring Lambda function that replicates over all the relevant metadata in the Data Catalog from Account B to Account A so users in Account A can view that within Account A's AWS Glue Data Catalog. I'm not sure whether Athena specifically would work in that setup, as I know it requires PutObject access when it queries data in S3 (which could be solved via the appropriate S3 bucket policies, but that'd be another cross-account permissions thing to manage).

Let me know whether you'd like to see those details on what cross-account stuff I was able to get working.

Answer 2

AWS has started supporting this using Lambda, please follow below link https://aws.amazon.com/blogs/big-data/cross-account-aws-glue-data-catalog-access-with-amazon-athena/

Answer 3

Since May 2021 it is now possible to register a data catalog from a different account in Amazon Athena, see the User Guide.

Athena Query Engine v2 is required though and there are some other limitations.