I am trying to execute athena queries from a lambda function but I am getting this error:
Athena Query Failed to run with Error Message: Permission denied on S3 path: s3://bkt_logs/apis/2020/12/16/14
The bucket bkt_logs
is the bucket which is used by AWS Glue Crawlers to crawl through all the sub-folders and populate Athena table on which I am querying on.
Also, bkt_logs
is an encrypted bucket.
These are the policies that I have assigned to the Lambda.
[
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::athena-query-results/*",
"Effect": "Allow",
"Sid": "AllowS3AccessToSaveAndReadQueryResults"
},
{
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::bkt_logs/*",
"Effect": "Allow",
"Sid": "AllowS3AccessForGlueToReadLogs"
},
{
"Action": [
"athena:GetQueryExecution",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:GetWorkGroup",
"athena:GetDatabase",
"athena:BatchGetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:GetTableMetadata"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowAthenaAccess"
},
{
"Action": [
"glue:GetTable",
"glue:GetDatabase",
"glue:GetPartitions"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowGlueAccess"
},
{
"Action": [
"kms:CreateGrant",
"kms:DescribeKey",
"kms:Decrypt"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowKMSAccess"
}
]
What seems to be wrong here? What should I do to resolve this issue?
Thanks @skinsman. After updating the resource to "Resource": ["arn:aws:s3:::bkt_logs", "arn:aws:s3:::bkt_logs/*"] I was able to resolve the issue.