Cross Account Athena Access from EKS in another account

0

I have a usecase where Athena, Glue catalog and database and s3 all exist in AccountB . and have an application running in EKS cluster in AccountA. I have provided root level access to AccountA in s3 bucket, glue settings in AccountB.

But i get this error

failed to execute query: Insufficient permissions to execute the query. User: 
arn:aws:sts::AccountA:assumed-role/compliance-live-temporal-server/1690459320335517 is 
not authorized to perform: glue:GetDatabases 
on resource: arn:aws:glue:eu-west-1:AccountA:catalog
because no identity-based policy allows the glue:GetDatabases action.

the IAM policy in AccountA looks like this

{
    "Statement": [
        {
            "Action": [
                "glue:GetTable",
                "athena:StartQueryExecution",
                "athena:GetQueryResults",
                "athena:GetQueryExecution"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "Athena"
        }
    ],
    "Version": "2012-10-17"
}

and 
{
    "Statement": [
        {
            "Action": [
                "s3:List*",
                "s3:Get*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::bucketB-a/*",
                "arn:aws:s3:::bucketB-a"
            ],
            "Sid": "S3ReadOnly"
        },
        {
            "Action": [
                "s3:Put*",
                "s3:List*",
                "s3:Get*"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::bucketB/*",
                "arn:aws:s3:::bucketB"
            ],
            "Sid": "S3Full"
        }
    ],
    "Version": "2012-10-17"
}


with the trust policy to trust OIDC of EKS.

please note that i don't want to set a new db/catalog in accountA . i simply want to make api calls to athena in AccountB .

1개 답변
0
profile picture
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠