Athena Error: Permission Denied on S3 Path.
0
I am trying to execute athena queries from a lambda function but I am getting this error:
Athena Query Failed to run with Error Message: Permission denied on S3 path: s3://bkt_logs/apis/2020/12/16/14
The bucket bkt_logs is the bucket which is used by AWS Glue Crawlers to crawl through all the sub-folders and populate Athena table on which I am querying on.
Also, bkt_logs is an encrypted bucket.
These are the policies that I have assigned to the Lambda.
[
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::athena-query-results/*",
"Effect": "Allow",
"Sid": "AllowS3AccessToSaveAndReadQueryResults"
},
{
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::bkt_logs/*",
"Effect": "Allow",
"Sid": "AllowS3AccessForGlueToReadLogs"
},
{
"Action": [
"athena:GetQueryExecution",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:GetWorkGroup",
"athena:GetDatabase",
"athena:BatchGetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:GetTableMetadata"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowAthenaAccess"
},
{
"Action": [
"glue:GetTable",
"glue:GetDatabase",
"glue:GetPartitions"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowGlueAccess"
},
{
"Action": [
"kms:CreateGrant",
"kms:DescribeKey",
"kms:Decrypt"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowKMSAccess"
}
]
What seems to be wrong here? What should I do to resolve this issue?
asked 2 months ago149 views
1 Answers
0
Accepted Answer
I'm not sure if it's needed in your case but some S3 API actions apply at the bucket level, and I notice you don't Allow anything for "Resource": "arn:aws:s3:::athena-query-results" or "Resource": "arn:aws:s3:::bkt_logs"
answered 2 months ago
Relevant questions
Permission problem in Cloudformation
asked 2 months agoAthena permission error running a query
asked 4 months agoAthena query: Insufficient Lake Formation permission(s): Illegal permission combination
asked 5 months agoAccess to the Risk tables
asked 17 hours agoAthena Error: Permission Denied on S3 Path.
Accepted Answerasked 2 months agoSagemake couldn't access S3 vis athena query
asked 3 months agoAccess Denied Error in Athena query file
asked 3 months agoHow to query .json.gz files from Amazon Athena?
Accepted Answerasked 3 years agoAthena federated query on PostgresSQL
asked 18 days agoCan i execute an Athena saved query from lambda?
Accepted Answer
Thanks @skinsman. After updating the resource to "Resource": ["arn:aws:s3:::bkt_logs", "arn:aws:s3:::bkt_logs/*"] I was able to resolve the issue.