Accessing Athena from EKS using IRSA ( bucket exists in other account).

Short Description:

Accessing Amazon Athena service from Amazon Elastic Kubernetes Service (Amazon EKS) using AWS Identity and Access Management (IAM) roles for service accounts (IRSA).

Reading documentation [1] setting the OIDC provider connection in the target account, but the IAM role and policy are not working.

Resolution:

May I recommend the following blog which covers troubleshooting IRSA errors in Amazon EKS [2], https://repost.aws/knowledge-center/eks-troubleshoot-irsa-errors

Use following documentation and example policies for Cross Account Setup --> Relevant IAM Permissions [3]

Cross-account access in Athena to Amazon S3 buckets - Policy example provided [4]

Lastly, this blog, "Analyze Kubernetes container logs using Amazon S3 and Amazon Athena" [5], may assist in achieving your use case.

If further assistance is required to troubleshoot a specific error received, may I recommend opening an Internal Ticket with AWS Support for further assistance.

References:

[1] https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

[2] https://repost.aws/knowledge-center/eks-troubleshoot-irsa-errors

[3] https://docs.aws.amazon.com/eks/latest/userguide/cross-account-access.html

[4] https://docs.aws.amazon.com/athena/latest/ug/cross-account-permissions.html

[5] https://aws.amazon.com/blogs/containers/analyze-kubernetes-container-logs-using-amazon-s3-and-amazon-athena/