[ aws . athena ]

create-work-group

Description

Creates a workgroup with the specified name. A workgroup can be an Apache Spark enabled workgroup or an Athena SQL workgroup.

See also: AWS API Documentation

Synopsis

  create-work-group
--name <value>
[--configuration <value>]
[--description <value>]
[--tags <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Options

--name (string)

The workgroup name.

--configuration (structure)

Contains configuration information for creating an Athena SQL workgroup or Spark enabled Athena workgroup. Athena SQL workgroup configuration includes the location in Amazon S3 where query and calculation results are stored, the encryption configuration, if any, used for encrypting query results, whether the Amazon CloudWatch Metrics are enabled for the workgroup, the limit for the amount of bytes scanned (cutoff) per query, if it is specified, and whether workgroup’s settings (specified with EnforceWorkGroupConfiguration ) in the WorkGroupConfiguration override client-side settings. See WorkGroupConfiguration$EnforceWorkGroupConfiguration .

ResultConfiguration -> (structure)

The configuration for the workgroup, which includes the location in Amazon S3 where query and calculation results are stored and the encryption option, if any, used for query and calculation results. To run the query, you must specify the query results location using one of the ways: either in the workgroup using this setting, or for individual queries (client-side), using ResultConfiguration$OutputLocation . If none of them is set, Athena issues an error that no output location is provided.

OutputLocation -> (string)

The location in Amazon S3 where your query and calculation results are stored, such as s3://path/to/query/bucket/ . To run the query, you must specify the query results location using one of the ways: either for individual queries using either this setting (client-side), or in the workgroup, using WorkGroupConfiguration . If none of them is set, Athena issues an error that no output location is provided. If workgroup settings override client-side settings, then the query uses the settings specified for the workgroup. See WorkGroupConfiguration$EnforceWorkGroupConfiguration .

EncryptionConfiguration -> (structure)

If query and calculation results are encrypted in Amazon S3, indicates the encryption option used (for example, SSE_KMS or CSE_KMS ) and key information. This is a client-side setting. If workgroup settings override client-side settings, then the query uses the encryption configuration that is specified for the workgroup, and also uses the location for storing query results specified in the workgroup. See WorkGroupConfiguration$EnforceWorkGroupConfiguration and Workgroup Settings Override Client-Side Settings .

EncryptionOption -> (string)

Indicates whether Amazon S3 server-side encryption with Amazon S3-managed keys (SSE_S3 ), server-side encryption with KMS-managed keys (SSE_KMS ), or client-side encryption with KMS-managed keys (CSE_KMS ) is used.

If a query runs in a workgroup and the workgroup overrides client-side settings, then the workgroup’s setting for encryption is used. It specifies whether query results must be encrypted, for all queries that run in this workgroup.

KmsKey -> (string)

For SSE_KMS and CSE_KMS , this is the KMS key ARN or ID.

ExpectedBucketOwner -> (string)

The Amazon Web Services account ID that you expect to be the owner of the Amazon S3 bucket specified by ResultConfiguration$OutputLocation . If set, Athena uses the value for ExpectedBucketOwner when it makes Amazon S3 calls to your specified output location. If the ExpectedBucketOwner Amazon Web Services account ID does not match the actual owner of the Amazon S3 bucket, the call fails with a permissions error.

This is a client-side setting. If workgroup settings override client-side settings, then the query uses the ExpectedBucketOwner setting that is specified for the workgroup, and also uses the location for storing query results specified in the workgroup. See WorkGroupConfiguration$EnforceWorkGroupConfiguration and Workgroup Settings Override Client-Side Settings .

AclConfiguration -> (structure)

Indicates that an Amazon S3 canned ACL should be set to control ownership of stored query results. Currently the only supported canned ACL is BUCKET_OWNER_FULL_CONTROL . This is a client-side setting. If workgroup settings override client-side settings, then the query uses the ACL configuration that is specified for the workgroup, and also uses the location for storing query results specified in the workgroup. For more information, see WorkGroupConfiguration$EnforceWorkGroupConfiguration and Workgroup Settings Override Client-Side Settings .

S3AclOption -> (string)

The Amazon S3 canned ACL that Athena should specify when storing query results, including data files inserted by Athena as the result of statements like CTAS or INSERT INTO. Currently the only supported canned ACL is BUCKET_OWNER_FULL_CONTROL . If a query runs in a workgroup and the workgroup overrides client-side settings, then the Amazon S3 canned ACL specified in the workgroup’s settings is used for all queries that run in the workgroup. For more information about Amazon S3 canned ACLs, see Canned ACL in the Amazon S3 User Guide .

EnforceWorkGroupConfiguration -> (boolean)

If set to “true”, the settings for the workgroup override client-side settings. If set to “false”, client-side settings are used. For more information, see Workgroup Settings Override Client-Side Settings .

PublishCloudWatchMetricsEnabled -> (boolean)

Indicates that the Amazon CloudWatch metrics are enabled for the workgroup.

BytesScannedCutoffPerQuery -> (long)

The upper data usage limit (cutoff) for the amount of bytes a single query in a workgroup is allowed to scan.

RequesterPaysEnabled -> (boolean)

If set to true , allows members assigned to a workgroup to reference Amazon S3 Requester Pays buckets in queries. If set to false , workgroup members cannot query data from Requester Pays buckets, and queries that retrieve data from Requester Pays buckets cause an error. The default is false . For more information about Requester Pays buckets, see Requester Pays Buckets in the Amazon Simple Storage Service Developer Guide .

EngineVersion -> (structure)

The engine version that all queries running on the workgroup use. Queries on the AmazonAthenaPreviewFunctionality workgroup run on the preview engine regardless of this setting.

SelectedEngineVersion -> (string)

The engine version requested by the user. Possible values are determined by the output of ListEngineVersions , including AUTO. The default is AUTO.

EffectiveEngineVersion -> (string)

Read only. The engine version on which the query runs. If the user requests a valid engine version other than Auto, the effective engine version is the same as the engine version that the user requested. If the user requests Auto, the effective engine version is chosen by Athena. When a request to update the engine version is made by a CreateWorkGroup or UpdateWorkGroup operation, the EffectiveEngineVersion field is ignored.

AdditionalConfiguration -> (string)

Specifies a user defined JSON string that is passed to the notebook engine.

ExecutionRole -> (string)

The ARN of the execution role used to access user resources for Spark sessions and IAM Identity Center enabled workgroups. This property applies only to Spark enabled workgroups and IAM Identity Center enabled workgroups. The property is required for IAM Identity Center enabled workgroups.

CustomerContentEncryptionConfiguration -> (structure)

Specifies the KMS key that is used to encrypt the user’s data stores in Athena. This setting does not apply to Athena SQL workgroups.

KmsKey -> (string)

The customer managed KMS key that is used to encrypt the user’s data stores in Athena.

EnableMinimumEncryptionConfiguration -> (boolean)

Enforces a minimal level of encryption for the workgroup for query and calculation results that are written to Amazon S3. When enabled, workgroup users can set encryption only to the minimum level set by the administrator or higher when they submit queries.

The EnforceWorkGroupConfiguration setting takes precedence over the EnableMinimumEncryptionConfiguration flag. This means that if EnforceWorkGroupConfiguration is true, the EnableMinimumEncryptionConfiguration flag is ignored, and the workgroup configuration for encryption is used.

IdentityCenterConfiguration -> (structure)

Specifies whether the workgroup is IAM Identity Center supported.

EnableIdentityCenter -> (boolean)

Specifies whether the workgroup is IAM Identity Center supported.

IdentityCenterInstanceArn -> (string)

The IAM Identity Center instance ARN that the workgroup associates to.

QueryResultsS3AccessGrantsConfiguration -> (structure)

Specifies whether Amazon S3 access grants are enabled for query results.

EnableS3AccessGrants -> (boolean)

Specifies whether Amazon S3 access grants are enabled for query results.

CreateUserLevelPrefix -> (boolean)

When enabled, appends the user ID as an Amazon S3 path prefix to the query result output location.

AuthenticationType -> (string)

The authentication type used for Amazon S3 access grants. Currently, only DIRECTORY_IDENTITY is supported.

Shorthand Syntax:

ResultConfiguration={OutputLocation=string,EncryptionConfiguration={EncryptionOption=string,KmsKey=string},ExpectedBucketOwner=string,AclConfiguration={S3AclOption=string}},EnforceWorkGroupConfiguration=boolean,PublishCloudWatchMetricsEnabled=boolean,BytesScannedCutoffPerQuery=long,RequesterPaysEnabled=boolean,EngineVersion={SelectedEngineVersion=string,EffectiveEngineVersion=string},AdditionalConfiguration=string,ExecutionRole=string,CustomerContentEncryptionConfiguration={KmsKey=string},EnableMinimumEncryptionConfiguration=boolean,IdentityCenterConfiguration={EnableIdentityCenter=boolean,IdentityCenterInstanceArn=string},QueryResultsS3AccessGrantsConfiguration={EnableS3AccessGrants=boolean,CreateUserLevelPrefix=boolean,AuthenticationType=string}

JSON Syntax:

{
  "ResultConfiguration": {
    "OutputLocation": "string",
    "EncryptionConfiguration": {
      "EncryptionOption": "SSE_S3"|"SSE_KMS"|"CSE_KMS",
      "KmsKey": "string"
    },
    "ExpectedBucketOwner": "string",
    "AclConfiguration": {
      "S3AclOption": "BUCKET_OWNER_FULL_CONTROL"
    }
  },
  "EnforceWorkGroupConfiguration": true|false,
  "PublishCloudWatchMetricsEnabled": true|false,
  "BytesScannedCutoffPerQuery": long,
  "RequesterPaysEnabled": true|false,
  "EngineVersion": {
    "SelectedEngineVersion": "string",
    "EffectiveEngineVersion": "string"
  },
  "AdditionalConfiguration": "string",
  "ExecutionRole": "string",
  "CustomerContentEncryptionConfiguration": {
    "KmsKey": "string"
  },
  "EnableMinimumEncryptionConfiguration": true|false,
  "IdentityCenterConfiguration": {
    "EnableIdentityCenter": true|false,
    "IdentityCenterInstanceArn": "string"
  },
  "QueryResultsS3AccessGrantsConfiguration": {
    "EnableS3AccessGrants": true|false,
    "CreateUserLevelPrefix": true|false,
    "AuthenticationType": "DIRECTORY_IDENTITY"
  }
}

--description (string)

The workgroup description.

--tags (list)

A list of comma separated tags to add to the workgroup that is created.

(structure)

A label that you assign to a resource. Athena resources include workgroups, data catalogs, and capacity reservations. Each tag consists of a key and an optional value, both of which you define. For example, you can use tags to categorize Athena resources by purpose, owner, or environment. Use a consistent set of tag keys to make it easier to search and filter the resources in your account. For best practices, see Tagging Best Practices . Tag keys can be from 1 to 128 UTF-8 Unicode characters, and tag values can be from 0 to 256 UTF-8 Unicode characters. Tags can use letters and numbers representable in UTF-8, and the following characters: + - = . _ : / @. Tag keys and values are case-sensitive. Tag keys must be unique per resource. If you specify more than one tag, separate them by commas.

Key -> (string)

A tag key. The tag key length is from 1 to 128 Unicode characters in UTF-8. You can use letters and numbers representable in UTF-8, and the following characters: + - = . _ : / @. Tag keys are case-sensitive and must be unique per resource.

Value -> (string)

A tag value. The tag value length is from 0 to 256 Unicode characters in UTF-8. You can use letters and numbers representable in UTF-8, and the following characters: + - = . _ : / @. Tag values are case-sensitive.

Shorthand Syntax:

Key=string,Value=string ...

JSON Syntax:

[
  {
    "Key": "string",
    "Value": "string"
  }
  ...
]

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command. The generated JSON skeleton is not stable between versions of the AWS CLI and there are no backwards compatibility guarantees in the JSON skeleton generated.

Global Options

--debug (boolean)

Turn on debug logging.

--endpoint-url (string)

Override command’s default URL with the given URL.

--no-verify-ssl (boolean)

By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.

--no-paginate (boolean)

Disable automatic pagination. If automatic pagination is disabled, the AWS CLI will only make one call, for the first page of results.

--output (string)

The formatting style for command output.

  • json
  • text
  • table
  • yaml
  • yaml-stream

--query (string)

A JMESPath query to use in filtering the response data.

--profile (string)

Use a specific profile from your credential file.

--region (string)

The region to use. Overrides config/env settings.

--version (string)

Display the version of this tool.

--color (string)

Turn on/off color output.

  • on
  • off
  • auto

--no-sign-request (boolean)

Do not sign requests. Credentials will not be loaded if this argument is provided.

--ca-bundle (string)

The CA certificate bundle to use when verifying SSL certificates. Overrides config/env settings.

--cli-read-timeout (int)

The maximum socket read time in seconds. If the value is set to 0, the socket read will be blocking and not timeout. The default value is 60 seconds.

--cli-connect-timeout (int)

The maximum socket connect time in seconds. If the value is set to 0, the socket connect will be blocking and not timeout. The default value is 60 seconds.

--cli-binary-format (string)

The formatting style to be used for binary blobs. The default format is base64. The base64 format expects binary blobs to be provided as a base64 encoded string. The raw-in-base64-out format preserves compatibility with AWS CLI V1 behavior and binary values must be passed literally. When providing contents from a file that map to a binary blob fileb:// will always be treated as binary and use the file contents directly regardless of the cli-binary-format setting. When using file:// the file contents will need to properly formatted for the configured cli-binary-format.

  • base64
  • raw-in-base64-out

--no-cli-pager (boolean)

Disable cli pager for output.

--cli-auto-prompt (boolean)

Automatically prompt for CLI input parameters.

--no-cli-auto-prompt (boolean)

Disable automatically prompt for CLI input parameters.

Examples

Note

To use the following examples, you must have the AWS CLI installed and configured. See the Getting started guide in the AWS CLI User Guide for more information.

Unless otherwise stated, all examples have unix-like quotation rules. These examples will need to be adapted to your terminal’s quoting rules. See Using quotation marks with strings in the AWS CLI User Guide .

To create a workgroup

The following create-work-group example creates a workgroup called Data_Analyst_Group that has the query results output location s3://awsdoc-example-bucket. The command creates a workgroup that overrides client configuration settings, which includes the query results output location. The command also enables CloudWatch metrics and adds three key-value tag pairs to the workgroup to distinguish it from other workgroups. Note that the --configuration argument has no spaces before the commas that separate its options.

aws athena create-work-group \
    --name Data_Analyst_Group \
    --configuration ResultConfiguration={OutputLocation="s3://awsdoc-example-bucket"},EnforceWorkGroupConfiguration="true",PublishCloudWatchMetricsEnabled="true" \
    --description "Workgroup for data analysts" \
    --tags Key=Division,Value=West Key=Location,Value=Seattle Key=Team,Value="Big Data"

This command produces no output. To see the results, use aws athena get-work-group --work-group Data_Analyst_Group.

For more information, see Managing Workgroups in the Amazon Athena User Guide.

Output

None