By using AWS re:Post, you agree to the Terms of Use
/Athena Error: Permission Denied on S3 Path./

Athena Error: Permission Denied on S3 Path.

0

I am trying to execute athena queries from a lambda function but I am getting this error: Athena Query Failed to run with Error Message: Permission denied on S3 path: s3://bkt_logs/apis/2020/12/16/14

The bucket bkt_logs is the bucket which is used by AWS Glue Crawlers to crawl through all the sub-folders and populate Athena table on which I am querying on. Also, bkt_logs is an encrypted bucket.

These are the policies that I have assigned to the Lambda.

[
  {
    "Action": [
      "s3:Get*",
      "s3:List*",
      "s3:PutObject",
      "s3:DeleteObject"
    ],
    "Resource": "arn:aws:s3:::athena-query-results/*",
    "Effect": "Allow",
    "Sid": "AllowS3AccessToSaveAndReadQueryResults"
  },
  {
    "Action": [
      "s3:*"
    ],
    "Resource": "arn:aws:s3:::bkt_logs/*",
    "Effect": "Allow",
    "Sid": "AllowS3AccessForGlueToReadLogs"
  },
  {
    "Action": [
      "athena:GetQueryExecution",
      "athena:StartQueryExecution",
      "athena:StopQueryExecution",
      "athena:GetWorkGroup",
      "athena:GetDatabase",
      "athena:BatchGetQueryExecution",
      "athena:GetQueryResults",
      "athena:GetQueryResultsStream",
      "athena:GetTableMetadata"
    ],
    "Resource": [
      "*"
    ],
    "Effect": "Allow",
    "Sid": "AllowAthenaAccess"
  },
  {
    "Action": [
      "glue:GetTable",
      "glue:GetDatabase",
      "glue:GetPartitions"
    ],
    "Resource": [
      "*"
    ],
    "Effect": "Allow",
    "Sid": "AllowGlueAccess"
  },
  {
    "Action": [
      "kms:CreateGrant",
      "kms:DescribeKey",
      "kms:Decrypt"
    ],
    "Resource": [
      "*"
    ],
    "Effect": "Allow",
    "Sid": "AllowKMSAccess"
  }
]

What seems to be wrong here? What should I do to resolve this issue?

1 Answers
0
Accepted Answer

I'm not sure if it's needed in your case but some S3 API actions apply at the bucket level, and I notice you don't Allow anything for "Resource": "arn:aws:s3:::athena-query-results" or "Resource": "arn:aws:s3:::bkt_logs"

answered 2 months ago
  • Thanks @skinsman. After updating the resource to "Resource": ["arn:aws:s3:::bkt_logs", "arn:aws:s3:::bkt_logs/*"] I was able to resolve the issue.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions