How do I resolve the "Unable to verify/create output bucket" error in Athena?

Resolution

If you manually set the query result location, then confirm that the Amazon Simple Storage Service (Amazon S3) bucket exists.

If the S3 bucket exists, then check the following properties of the AWS Identity and Access Management (IAM) policy for the user or role that runs the query:

• Confirm that the policy allows the required permissions, such as s3:GetBucketLocation.
• Make sure that the IAM policy doesn't contain a Deny statement that uses aws:SourceIp or aws:SourceVpc to restrict Amazon S3 permissions.

For example, the following policy allows the IAM user or role to run the query:

{  
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetBucketLocation",
        "s3:GetObject",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:ListMultipartUploadParts",
        "s3:AbortMultipartUpload",
        "s3:CreateBucket",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::aws-athena-query-results-*",
        "arn:aws:s3:::query-results-custom-bucket",
        "arn:aws:s3:::query-results-custom-bucket/*"
      ]
    }
  ]
}

Note: For existing S3 buckets, you can remove the s3:CreateBucket permission. If you manually set the query result location, then don't include arn:aws:s3:::aws-athena-query-results-* in the policy. The policy must include arn:aws:s3:::query-results-custom-bucket and arn:aws:s3:::query-results-custom-bucket/* only when you manually set the query result location.

Related information

Control access to Amazon S3 from Athena

Examples of Amazon S3 bucket policies

Controlling access from virtual private cloud (VPC) endpoints with bucket policies

Policy actions for Amazon S3