Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I resolve "Access denied" errors when I use Athena as a data source in Quick Suite?

6 minute read
1

I get "Access denied" errors when I use Amazon Athena as a data source in my Amazon Quick Suite account.

Short description

The following are reasons you might receive "Access denied" errors when you use Amazon Athena as a data source in Amazon Quick Suite:

  • Your Quick Suite account doesn't have the required permission to access the Amazon Simple Storage Service (Amazon S3) bucket.
  • Your data file is encrypted with an AWS Key Management Service (AWS KMS) key.
  • You don't have the necessary AWS Identity and Access Management (IAM) permissions policy assigned to you.
  • The Amazon S3 bucket doesn't exist. Or, the IAM role that's used to query the data doesn't have the required S3 permissions.
  • You don't have the necessary service control policies (SCPs) assigned to you for Quick Suite accounts that use AWS Organizations.
  • Your Quick Suite user or group doesn't have AWS Lake Formation permissions for Athena accounts that use Lake Formation.

Note: Before you begin troubleshooting, make sure that you can access your data in Athena.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Grant Quick Suite access to your S3 bucket

You receive the following error messages when your Quick Suite account doesn't have the required permissions to access the Amazon S3 bucket:

"An error has been thrown from AWS Athena client. Permission denied on S3 path:sourceErrorMessage: s3:/example bucket/object name"

To resolve this error, gain permissions to the Amazon S3 bucket. Complete the following steps:

  1. Open the Quick Suite console.
  2. Choose your user name on the application bar and then choose Manage Quick Suite.
  3. In the navigation pane under Permissions, choose AWS resources.
  4. From the list of AWS Services, select Amazon S3.
  5. Choose Select S3 buckets, and then select the S3 bucket.
  6. Choose Write permission for Athena Workgroup, and then choose Finish.
  7. Choose Save.

Grant Quick Suite access to your KMS-encrypted data

If your data file is encrypted with an AWS KMS key, then Amazon S3 can deny you access to the data. To resolve this issue, use either the AWS CLI or AWS KMS console to grant your Quick Suite service role access to the AWS KMS key.

Use the AWS CLI

Complete the following steps:

  1. Use the IAM console to locate the Quick Sight service role ARN.

  2. Use the Amazon S3 console to find the AWS KMS key ARN.

  3. Go to the bucket that contains your data file.

  4. Choose the Overview tab, and then locate KMS key ID.

  5. Add the Quick Suite service role ARN to the KMS key policy.

  6. Run the create-grant AWS CLI command:

    aws kms create-grant --key-id aws_kms_key_arn --grantee-principal quicksight_role_arn --operations Decrypt

    Note: Replace aws_kms_key_arn with the ARN of your AWS KMS key and quicksight_role_arn with the ARN of your Quick Suite service role.

Use the AWS KMS console

To add the Quick Suite service role to the AWS KMS key policy, change the key policy. Then, add the following permissions to the key policy:

{     "Sid": "Allow use of the key",
     "Effect": "Allow",
     "Principal": {
         "AWS": [
              "arn:aws:iam::aws-account-id:role/service-role/aws-quicksight-service-role-v0",
              "arn:aws:iam::aws-account-id:role/service-role/aws-quicksight-s3-consumers-role-v0"
              ]
         },
         "Action": [
            "kms:Decrypt"
               ],
         "Resource": "*"
}

Note: In the preceding policy, make sure that you add the ARN for your Quick Suite service roles in the Principal section.

Check and update your IAM policy assignments

To check which policies are assigned to you and verify whether the policy restricts your access, complete the following steps:

  1. Open the Amazon Quick Suite console.
  2. Choose your user name on the application bar and then choose Manage Quick Suite.
  3. In the navigation pane under Permissions, choose IAM policy assignments.
  4. Check if there are any IAM policy assignments to access Athena.
  5. Verify that the policy doesn't restrict your access to Amazon S3 or Athena.

If a policy restricts your access to either S3 or Athena, then ask your Quick Suite administrator to change the policy. If you're the administrator, then deactivate the IAM policy assignment, and edit the policy to include S3 and Athena permissions. For more information, see Setting granular access to AWS services through IAM.

Verify your S3 bucket exists and has correct permissions

You receive the following error messages when the S3 bucket doesn't exist. Or, the IAM role that's used to query the data doesn't have the required S3 permissions:

"Unable to verify/create output bucket."

To resolve this error, see How do I resolve the "Unable to verify/create output bucket" error in Athena?

If the bucket doesn't exist, then add the valid S3 bucket. From the Quick Suite console, select Amazon S3 from the list of AWS Services. Then, select the S3 bucket that's used for the query result location.

Update your service control policies (SCPs)

Ask the Organizations administrator to check your SCP settings to verify the permissions that are assigned to you. If you're an Organizations administrator, then see Creating organization policies with AWS Organizations.

Grant Lake Formation permissions to Quick Suite users

You receive the following error message when your Quick Suite user or group doesn't have Lake Formation permissions:

"An error has been thrown from the AWS Athena client. Insufficient permissions to execute the query. Insufficient Lake Formation permission(s)."

To resolve this error, grant Lake Formation permissions for Quick Suite. You must be a Lake Formation administrator.

Complete the following steps:

  1. Locate the ARN for the Quick Suite user or group.

  2. Run one of the following AWS CLI commands:

    describe-user

    aws quicksight describe-user  --user-name user_name  --aws-account-id account_id --namespace default

    -or-

    describe-group

    aws quicksight describe-group --group-name group_name  --aws-account-id account_id --namespace default

    Note: In the preceding commands, replace user_name with your user's name, group_name with your group's name, and account_id with your account's ID.

  3. Open the Lake Formation console.

  4. Choose Tables.

  5. Choose Actions, and then choose Permissions.

  6. From the list of Principals, choose Grant.

  7. Under SAML and Amazon Quick Sight users and groups, enter the Quick Suite user or group ARN. For example, arn:aws:quicksight:region:accountId:user/namespace/username.

  8. Select the correct data source, and then choose All tables. The table permissions are Select and Describe.

  9. Choose Grant.

After you grant permissions, return to the Quick Suite console to try to create the dataset again.

Related information

Insufficient permissions when using Athena with Amazon Quick Suite

Introducing Amazon Quick Suite fine-grained access control over Amazon S3 and Amazon Athena

Turn on fine-grained permissions for Amazon Quick Suite authors in AWS Lake Formation

Topics
AnalyticsMachine Learning & AIBusiness Applications
Tags
AWS Lake FormationAmazon Quick SightAmazon Quick Suite
Language
English
AWS OFFICIALUpdated 7 months ago
No comments

Relevant content