GetTableMetadata (AWS Athena) should pass configured work_group parameter

[smuthali]

Repository: https://github.com/laughingman7743/PyAthena

Problem

When using PyAthena with a configured work_group, the GetTableMetadata API call does not include the WorkGroup parameter, even though the AWS API supports it. This forces IAM policies to use workgroup/* wildcards instead of specific workgroup ARNs, which is less secure than necessary.

Reproduction

from pyathena import connect

conn = connect(
    work_group='my-workgroup',
    region_name='us-west-2'
)
cursor = conn.cursor()
# This triggers GetTableMetadata without passing WorkGroup
cursor.execute("SELECT * FROM my_catalog.my_database.my_table")

CloudTrail for the GetTableMetadata call shows no workGroup parameter:

  "requestParameters": {
      "catalogName": "s3tablescatalog/my-bucket",
      "databaseName": "my-database",
      "tableName": "my_table"
  }

Expected Behavior

The GetTableMetadata call should include WorkGroup=my-workgroup when a work_group is configured:

  "requestParameters": {
      "catalogName": "s3tablescatalog/my-bucket",
      "databaseName": "my-database",
      "tableName": "my_table",
      "workGroup": "my-workgroup"
  }

Impact

Without the workgroup parameter, IAM policies must allow:
"arn:aws:athena:us-west-2:123456789:workgroup/*"

Instead of the more restrictive:
"arn:aws:athena:us-west-2:123456789:workgroup/my-workgroup"

Suggested Fix

Pass WorkGroup to the get_table_metadata boto3call when self.work_group is configured.

[laughingman7743]

Thank you for reporting this issue!

I've created PR #646 to fix this. The fix adds the WorkGroup parameter to the following metadata API calls when work_group is configured:

• GetTableMetadata
• ListTableMetadata
• ListDatabases

This will allow IAM policies to use specific workgroup ARNs (e.g., arn:aws:athena:us-west-2:123456789:workgroup/my-workgroup) instead of wildcards.

The fix will be included in v3.25.0, which will be released shortly after the PR is merged.