En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

Cross-Account Connect Athena (account X) to Glue + S3 (account Y)

1

Hello,

This question https://repost.aws/questions/QUSdk1j9-FT02t91W3AU0Qng/cross-account-access-from-athena-to-s-3 from 3 years ago sims to be similar. I did all that is suggested appart from using Lake Formation. I wanted to try and create the permissions manually first.

Account Y: I have JSON data in an S3 and used Glue to create the catalog in account Y. I configured this owner account such as Step 1.a https://docs.aws.amazon.com/athena/latest/ug/security-iam-cross-account-glue-catalog-access.html I also configured the S3 bucket according to "Apply a cross-account bucket policy" from https://tomgregory.com/s3-bucket-access-from-the-same-and-another-aws-account/

Account X: I want to configure Athena to query S3 using the catalog created by Glue I configured this borrower account such as Step 1.b https://docs.aws.amazon.com/athena/latest/ug/security-iam-cross-account-glue-catalog-access.html I also configured the IAM Policies according to "Apply a cross-account bucket policy" from https://tomgregory.com/s3-bucket-access-from-the-same-and-another-aws-account/ Both S3 and Glue Policies are attached to the concerned users in this account.

Problem: In account X, Athena is capable of accessing Glue and it displays Database, Tables and the catalog. However when I run a query (a same successful query made in account Y) I get the error

Permission denied on S3 path: s3://asdf
This query ran against the "dbname" database, unless qualified by the query. Please post the error message on our forum
or contact customer support
with Query Id: a3a3a3a...

Apparently, I'm missing a S3 permission but I can't find information about it

Any help is much appreciated.

Thanks,

Sujets
AnalytiqueSécurité, identité et conformité
Balises
AWS GluePolitiques IAM
Langue
English
rePost-User-7904813
demandé il y a 2 ans384 vues
1 réponse
1
Hello!

I understand that you are having permissions issues with a cross-account environment. Here are a few steps that could help fix this issue:

[1] Check the cross-account S3 bucket policy in Account Y: Ensure that the S3 bucket in account Y has a cross-account bucket policy that grants read access to the IAM role used by Athena in account X.
[2] IAM Role Permissions in Account X: Review the IAM policy attached to the IAM role used by Athena in account X. This IAM policy should have permissions to read from the Glue catalog in account Y, as well as permissions to execute the query in Athena.
[3] Trusted Relationships: View the trusted relationships between the IAM roles in both accounts. The roles in account X should be able to assume the role in account Y, and vice versa.


These are just a few items to check, however there are other methods and steps that could resolve this issue. Please refer to the following resources for further guidance:

[1] Cross-account bucket permissions - 
https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.html
[2] Providing access to S3 bucket - 
https://docs.aws.amazon.com/athena/latest/ug/security-iam-cross-account-glue-catalog-access.html
[3] Cross-account trust relationship - 
https://repost.aws/knowledge-center/cross-account-access-iam
AWS
Vidit_P
répondu il y a 9 mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents