Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Deleting Data using athena query - (PERMISSION_DENIED - s3:PutObject)

0

Hello, I'm having an issue deleting data from a specific S3 bucket using a DELETE FROM statement via a Boto3 Athena connection in a Lambda function (will be use to delete old data from an iceberg table).

For one bucket that my team created, it works fine. However, for another bucket created by a different team, it returns this error:

"Failed: PERMISSION_DENIED — User is not authorized to perform: s3:PutObject on resource [...] with an explicit deny in a resource-based policy (Service: S3, Status Code: 403)"

From my research, this is likely caused by a bucket policy. I'd like to know if anyone has encountered a similar situation and whether there's a workaround that doesn't require modifying the bucket policy, since I don't have access to do so. However, if that's the only solution, what exactly should I look for in the policy — and if possible, could you share some examples?

I also tried adding additional permissions to the IAM role associated with the Lambda function, but it didn't resolve the issue.

Topics
AnalyticsServerlessComputeStorage
Tags
S3 Object LockAmazon AthenaAWS Lambda
Language
English
asked 7 days ago45 views
1 Answer
1

As far as I understand the issue is that Apache Iceberg requires s3:PutObject permissions even for DELETE operations, this is because Iceberg must write new metadata files and "delete files" to the bucket to track changes.

The Root Cause: In AWS, an Explicit Deny in a resource-based policy (Bucket Policy) always overrides any Allow in an identity-based policy (IAM Role). Even if your Lambda has AdministratorAccess, it will be blocked by a Deny statement in the bucket owner's policy.

Try the following Since you cannot modify the policy yourself, you must ask the bucket owners to add an exception for your Lambda's IAM Role.

  1. Identify the Deny Block: Look for a statement in the Bucket Policy with "Effect": "Deny" and "Action": "s3:PutObject".
  2. Add an Exception: The owners should add a Condition to that Deny block to exclude your role.

Example Policy Fix:

{
  "Effect": "Deny",
  "Action": "s3:PutObject",
  "Resource": "arn:aws:s3:::target-bucket-name/*",
  "Condition": {
    "StringNotLike": {
      "aws:PrincipalArn": [
        "arn:aws:iam::your-account-id:role/your-lambda-role-name"
      ]
    }
  }
}

Note: If the Deny is based on Encryption requirements (e.g., requiring a specific KMS key), ensure your Athena/Lambda configuration is set to use that specific key when writing results. However, usually, a cross-team "explicit deny" is a structural boundary that only a policy update can resolve.

EXPERT
answered 7 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content