Shouldn't the AWSReadOnlyAccess permission group allow access to query Athena tables

Question

In an enterprise account, and wanted to give someone access to query the Cloudtrail logs that are in the Log Archive account Control Tower created. But when I go in with the permission set AWSReadOnlyAccess I get errors bringing up Athena and can't see the tables that were created in there. It all seems like it should be read-only stuff; is that just a miss on AWS's part? Not very useful if the first thing I tried that set of permissions with doesn't work.

`User: arn:aws:sts::....:assumed-role/AWSReservedSSO_AWSReadOnlyAccess_.../... is not authorized to perform: athena:GetQueryExecution on resource: arn:aws:athena:us-east-1:...:workgroup/primary because no identity-based policy allows the athena:GetQueryExecution action
This query ran against the "" database, unless qualified by the query.`

Answer

The `AWSSSOReadOnly` policy is about having read only access to the AWS SSO service and its resources, not AWS in general.

What you probably want is to attach the `ReadOnlyAccess` AWS managed policy to your permission set, as it has permissions like `athena:Batch*`, `athena:Get*`, and `athena:List*`.

Shouldn't the AWSReadOnlyAccess permission group allow access to query Athena tables

관련 콘텐츠