Configure cross-account access to a shared AWS Glue Data Catalog using Amazon Athena

In plain terms,the Cross-account AWS Glue Data Catalog Access allows one AWS account (let’s call it the customer account) to use Amazon Athena to run SQL queries on data stored in another AWS account (your data account). The data stays right where it is, in your S3 bucket. AWS Glue’s Data Catalogue manages the metadata. And the customer account just plugs in via Athena — securely, without needing to lift or copy anything. 

It keeps things clean. You keep control. They get what they need.
 

Why This Setup Makes Life Easier ?

• You don’t have to move or duplicate your data. That alone saves you a bunch of headaches. 

• You stay in control. You’re not handing over your entire account — you’re giving limited, safe access. 

• It saves time and money. Less copying, syncing, or wrangling means lower AWS bills and less manual labor. 

• It works across teams or clients. Whether it’s internal teams or external partners, they can query your data securely. 

• The whole thing is serverless. You don’t have to spin up or manage any servers — Glue and Athena handle that. 
   

Who’s This For? 

This kind of setup is a great fit for: 

• Companies with a central data lake or warehouse that’s used by multiple teams 

• Businesses offering analytics services across clients 

• Enterprises with multiple AWS accounts that need to talk to each other 

• Consultants or contractors working inside client environments 

Say you’re a data team that manages reporting data in one account, but your marketing or finance teams have their own AWS setups — they can query your data, but you stay in control. Or maybe you’re a startup offering data analytics to multiple clients — each with their own AWS account. This helps you scale securely. 
 

What’s Included in This Setup ?

Here’s what you’ll be working with: 

• S3 Bucket (in the data account): Holds your actual datasets. 

• AWS Glue Crawler: Scans your data and creates table definitions in the Glue Data Catalog. 

• Glue Data Catalog: Where all the metadata (like table names, columns, etc.) lives. 

• Bucket Policy: Gives the customer account read-only access to your S3 bucket. 

• Glue Catalog Resource Policy: Allows Athena in the customer account to use your catalog. 

• Amazon Athena: The tool the customer account uses to query your data using SQL. 

• Named Catalog Reference: A pointer from the customer account to your Glue catalog. 

• IAM Role (in the customer account): Used by Athena to assume access. 

• IAM Trust Policy (in the data account): Grants permission to the customer role. 

• IAM Policy: Defines exactly what that role can and can’t do.  

• Optional IAM Users/Groups: Helps organize who in the customer account can run queries. 
   

How to Set It Up ?

Here’s a high-level overview of how this works from both sides: 
 

In the Data Account: 

1. Store your data in an S3 bucket. 

2. Run a Glue Crawler to create metadata in the Glue Catalogue. 

3. Add a bucket policy to allow the customer account’s IAM role to read the data. 

4. Create or update a resource policy on your Glue Data Catalogue to allow access from the customer account. 

5. Set up a trust relationship so the customer’s IAM role can assume access securely. 
    

In the Customer Account: 

1. Create an IAM role that Athena will use to assume access to the data account. 

2. Grant that role permission to read from S3 and use the shared Glue catalogue. 

3. Add a named catalogue reference to the data account’s Glue catalogue. 

4. Use Athena like normal — only now, it queries data sitting in someone else’s account. 

It takes a few steps, but once it’s set up, the experience is seamless. The customer team writes queries just like they would for their data — but the data stays under your control. 
 

Summary 

The Cross-account AWS Glue Data Catalog Access setup isn’t just about making cross-account access possible. It’s about doing it cleanly, securely, and without breaking your budget. The data stays put. The control stays with you. And the other account gets the insights they need without risky workarounds. 

Whether you're managing shared datasets for internal teams or building a scalable data product for clients, this approach gives you a reliable way to share data using AWS-native tools — without ever giving up control.