Trino / Athena Setup
Use this guide to connect either Amazon Athena (IAM role auth) or a self-hosted Trino deployment (username/password auth).
Overview
Slateo supports two connection patterns under the same Trino / Athena connector:
| Use case | Authentication | Network setup |
|---|---|---|
| Amazon Athena | IAM Role (Athena) | No PrivateLink setup required |
| Self-hosted Trino | Username & Password | Public endpoint or private networking (for example, AWS PrivateLink) |
PrivateLink and Athena: You do not need a separate PrivateLink setup for Athena itself. Athena is an AWS-managed service endpoint. Use the AWS PrivateLink guide only when connecting to a private self-hosted Trino endpoint.
Prerequisites
Before you start, make sure you have:
- Permission in Slateo to add database connections
- For Athena: IAM permissions to create/update roles and policies
- For Athena: an existing workgroup, catalog/database metadata in Glue, and S3 locations for data and query results
- For self-hosted Trino: coordinator host, port, catalog/schema, and a read-only Trino user
Setup steps
Path A: Amazon Athena (IAM Role (Athena))
Step 1: Create or select the IAM role Slateo should assume
In Slateo, you will enter an IAM Role ARN. That role must trust Slateo's AWS principal.
Example trust policy (replace with the principal provided by your Slateo team):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<slateo-account-id>:role/<slateo-assumer-role>"
},
"Action": "sts:AssumeRole"
}
]
}
You can verify role trust with:
aws iam get-role --role-name <role-name>
Step 2: Attach least-privilege Athena permissions to that role
The assumed role needs enough access to run Athena queries and read metadata/results.
At minimum, include:
- Athena query actions such as
athena:StartQueryExecution,athena:GetQueryExecution, andathena:GetQueryResults - Glue read actions such as
glue:GetDatabase,glue:GetDatabases,glue:GetTable, andglue:GetTables - S3 read access to source data locations
- S3 read/write access to your Athena results bucket
If your results bucket uses a customer-managed KMS key, also allow decrypt/encrypt for that key.
Step 3: Configure Athena in Slateo
In Slateo:
- Go to Settings -> Databases -> Add Database
- Select Trino / Athena
- Set Authentication Method to IAM Role (Athena)
- Fill in the fields:
| Field | Example |
|---|---|
| Name | Athena Production |
| Host | athena.us-west-2.amazonaws.com |
| Port | 443 |
| Catalog | awsdatacatalog |
| Default Schema | analytics |
| IAM Role ARN | arn:aws:iam::123456789012:role/SlateoAthenaReadOnly |
| AWS Region | us-west-2 |
| Workgroup | primary |
Step 4: Test and save
Click Test Connection. After it succeeds, click Add Connection.
Path B: Self-hosted Trino (Username & Password)
Use this path for Trino deployments you operate directly (for example, Trino on Kubernetes or EC2).
Step 1: Ensure network connectivity
Your Trino coordinator must be reachable from Slateo:
- Public endpoint: allowlist Slateo egress IPs (contact your Slateo team)
- Private endpoint: configure private connectivity, such as AWS PrivateLink
Step 2: Create a read-only Trino user
Create a dedicated user with read-only access to the catalogs and schemas Slateo should query.
Exact commands depend on your Trino authentication plugin and catalog backends.
Step 3: Configure Trino in Slateo
In Slateo:
- Go to Settings -> Databases -> Add Database
- Select Trino / Athena
- Set Authentication Method to Username & Password
- Fill in the fields:
| Field | Example |
|---|---|
| Name | Trino Production |
| Host | trino.example.internal |
| Port | 8080 or 443 |
| Catalog | hive |
| Default Schema | analytics |
| Username | slateo_readonly |
| Password | <secure-password> |
If your Trino endpoint uses HTTPS, use port 443 and TLS.
Step 4: Test and save
Click Test Connection, then Add Connection.
Step 5 (Optional): Enable file uploads (usertables write access)
If you want Slateo users to upload CSVs and create tables from them, ensure the Slateo role has write access to a schema named usertables in the appropriate catalog.
The exact steps depend on your Trino connector and underlying catalog. In general:
- Create a
usertablesschema in the catalog used by your Slateo connection - Grant the Slateo role write access to that schema
Consult your Trino administrator or connector documentation for the specific grant syntax.
After creating the usertables schema and granting privileges, go to Settings → Database Connections, select your connection, and click Test Connection. This refreshes the upload capability check. The file upload option will appear on the Data Models page once the check passes.
Verification checklist
After saving, confirm:
- The connection appears in Settings -> Databases
- Status changes from
Scanning schema...to discovered tables - Expected catalogs/schemas are available in query editors
Troubleshooting
Error: not authorized to perform: sts:AssumeRole
The IAM role trust policy does not allow Slateo to assume the role.
Fix: update the role trust policy to include Slateo's AWS principal.
Error: not authorized to perform: athena:StartQueryExecution
Assume-role succeeded, but Athena permissions are missing.
Fix: add Athena query permissions on the target workgroup.
Error: S3 access denied while reading results
Athena can run, but the role cannot read/write the results location.
Fix: grant required S3 permissions (and KMS permissions if applicable) to the assumed role.
Error: timeout / cannot reach Trino host
Slateo cannot reach your Trino coordinator endpoint.
Fix: verify DNS, port, TLS settings, and your network path (public allowlist or private connectivity).
Add Connection stays disabled
Slateo enables Add Connection only after required fields are valid and test connection succeeds.
Fix: re-check required fields and retry Test Connection.
Related documentation
FAQ
Do I need AWS PrivateLink for Athena?
No. For Athena, Slateo connects to AWS-managed service endpoints using IAM role authentication. You only need private networking guidance if you are connecting to a private self-hosted Trino endpoint.
When should I choose Trino instead of Athena in this connector?
Use IAM Role (Athena) when querying Amazon Athena. Use Username & Password when connecting to your own Trino deployment.