Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Shouldn't the AWSReadOnlyAccess permission group allow access to query Athena tables

0

In an enterprise account, and wanted to give someone access to query the Cloudtrail logs that are in the Log Archive account Control Tower created. But when I go in with the permission set AWSReadOnlyAccess I get errors bringing up Athena and can't see the tables that were created in there. It all seems like it should be read-only stuff; is that just a miss on AWS's part? Not very useful if the first thing I tried that set of permissions with doesn't work.

User: arn:aws:sts::....:assumed-role/AWSReservedSSO_AWSReadOnlyAccess_.../... is not authorized to perform: athena:GetQueryExecution on resource: arn:aws:athena:us-east-1:...:workgroup/primary because no identity-based policy allows the athena:GetQueryExecution action This query ran against the "" database, unless qualified by the query.

Themen
AnalysenSicherheit, Identität & Konformität
Tags
Amazon AthenaAWS Identity and Access Management
Sprache
English
larryjkl
gefragt vor 2 Jahren241 Aufrufe
1 Antwort
1

The AWSSSOReadOnly policy is about having read only access to the AWS SSO service and its resources, not AWS in general.

What you probably want is to attach the ReadOnlyAccess AWS managed policy to your permission set, as it has permissions like athena:Batch*, athena:Get*, and athena:List*.

profile picture
rowanu
beantwortet vor 2 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt