Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Shouldn't the AWSReadOnlyAccess permission group allow access to query Athena tables

0

In an enterprise account, and wanted to give someone access to query the Cloudtrail logs that are in the Log Archive account Control Tower created. But when I go in with the permission set AWSReadOnlyAccess I get errors bringing up Athena and can't see the tables that were created in there. It all seems like it should be read-only stuff; is that just a miss on AWS's part? Not very useful if the first thing I tried that set of permissions with doesn't work.

User: arn:aws:sts::....:assumed-role/AWSReservedSSO_AWSReadOnlyAccess_.../... is not authorized to perform: athena:GetQueryExecution on resource: arn:aws:athena:us-east-1:...:workgroup/primary because no identity-based policy allows the athena:GetQueryExecution action This query ran against the "" database, unless qualified by the query.

Argomenti
AnalisiSicurezza, identità e conformità
Tag
Amazon AthenaGestione identità e accesso AWS
Lingua
English
larryjkl
posta 2 anni fa241 visualizzazioni
1 Risposta
1

The AWSSSOReadOnly policy is about having read only access to the AWS SSO service and its resources, not AWS in general.

What you probably want is to attach the ReadOnlyAccess AWS managed policy to your permission set, as it has permissions like athena:Batch*, athena:Get*, and athena:List*.

profile picture
rowanu
con risposta 2 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente