Aws glue database

Question

Facing this error : @ Exception in User Class: org.apache.spark.sql.catalyst.analysis.AccessControlException: Unable to verify existence of default database: com.amazonaws.services.glue.model.GlueEncryptionException: User: arn:aws:sts:assumed-role/iamrole/GlueJobRunnerSession is not authorized to perform: kms:Decrypt on the resource associated with this ciphertext because no identity-based policy allows the kms:Decrypt action (Service: AWSKMS; Status Code:
400; Error Code: AccessDeniedException; Request ID: 504f921-bedb-4b63-a559-87d07d4ebaf5; Proxy: null) (Service: AWSGlue;
Status Code: 400; Error Code: GluencryptionException; Request ID: d749798d-65f9-4180-b5d6-c91bd112747a; Proxy: null)

Answer

You'd need to grant glue job service role kms:Decrypt access. From the error logs it's evident that it doesn't have access to KMS key here.

You need to find the KMS key and then add this permission to one of the policy in glue job service role. Once you add kms:Decrypt permission for that KMS key, this error would go away.

Refer [Setting up encryption in AWS Glue](https://docs.aws.amazon.com/glue/latest/dg/set-up-encryption.html) and [Encrypting data written by AWS Glue](https://docs.aws.amazon.com/glue/latest/dg/encryption-security-configuration.html) for more details and see which one applies to your case and accordingly add the permissions for kms:Decrypt.

Also make sure there are no explicit deny in that KMS key resource policy, you can check that by going to KMS console, select that key and check key policy.

Hope this helps.

Abhishek

Aws glue database

関連するコンテンツ