Thanks for sharing the Query ID.
When registering a Lake Formation path, we follow up by granting permissions to the path from "Data Locations" to the role that needs to access LF managed tables with locations that are registered.
Looking at the S3 logs for the provided Athena Query ID, the authentication process is looking similar to when a location is registered with Lake Formation . The process being as follows:
- A principal runs a
SELECTquery in Athena.
- Athena analyses the query and checks Lake Formation permissions to see if the principal has been granted access to the table and table columns.
- If the principal has access, Athena requests credentials from Lake Formation. If the principal does not have access, Athena issues an access denied error.
- Lake Formation issues credentials to Athena to use when reading data from Amazon S3, along with the list of allowed columns.
- Athena uses the Lake Formation temporary credentials to query the data from Amazon S3. After the query completes, Athena discards the credentials.
Now, to answer your question - the error for the shared Query ID happened because of a missing
s3:ListBucket permission from the Lake Formation end.
Although, currently checking the Role that you are using, I could see that the Role being assumed by Athena (
AWSServiceRoleForLakeFormationDataAccess) has permission for the S3 path (
s3://xxxx-xxxxx-xxxx-xxx-us-east-1-123456789000/xxxxxx_xxxxx), so you should not be encountering this error at this very moment as I write this.
Once you register your S3 bucket (
xxxx-xxxxx-xxxx-xxx-us-east-1-123456789000) in Lake Formation, it updates your Role (
AWSServiceRoleForLakeFormationDataAccess) with the missing permissions (
s3:ListBucket in your case for the given Query ID) automatically.
That being said, I would recommend that you check that the S3 bucket is getting registered appropriately, when you are doing a deployment through Terraform, so that you do not run into these errors again.
 Using Athena to query data registered with AWS Lake Formation - https://docs.aws.amazon.com/athena/latest/ug/security-athena-lake-formation.html
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 12 days ago
- AWS OFFICIALUpdated 3 days ago
- Amazon GameLift launches support for third-party Infrastructure as Code tools like Terraform and PulumiEXPERTpublished 3 months ago
- EXPERTpublished 6 months ago