Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Shouldn't the AWSReadOnlyAccess permission group allow access to query Athena tables

0

In an enterprise account, and wanted to give someone access to query the Cloudtrail logs that are in the Log Archive account Control Tower created. But when I go in with the permission set AWSReadOnlyAccess I get errors bringing up Athena and can't see the tables that were created in there. It all seems like it should be read-only stuff; is that just a miss on AWS's part? Not very useful if the first thing I tried that set of permissions with doesn't work.

User: arn:aws:sts::....:assumed-role/AWSReservedSSO_AWSReadOnlyAccess_.../... is not authorized to perform: athena:GetQueryExecution on resource: arn:aws:athena:us-east-1:...:workgroup/primary because no identity-based policy allows the athena:GetQueryExecution action This query ran against the "" database, unless qualified by the query.

Topics
AnalyticsSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementAmazon Athena
Language
English
asked 4 years ago530 views
1 Answer
1

The AWSSSOReadOnly policy is about having read only access to the AWS SSO service and its resources, not AWS in general.

What you probably want is to attach the ReadOnlyAccess AWS managed policy to your permission set, as it has permissions like athena:Batch*, athena:Get*, and athena:List*.

answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content