By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Trouble Importing AWS Glue Tables Created from Resource Links into QuickSight via Athena

0

Hi everyone!

I’ve been following this guide (https://aws.amazon.com/blogs/aws/simplify-custom-contact-center-insights-with-amazon-connect-analytics-data-lake/) to gather data from Amazon Connect and display it in QuickSight dashboards. The guide helped me set up my own AWS Glue tables as resource links to tables managed by an AWS-owned account (where the ETL operations are done on their behalf).

However, I’m running into issues when trying to import the data into QuickSight using Athena as the data source. Specifically, QuickSight’s service account role seems unable to query my tables in Athena, even though it has temporarily been granted AdministratorAccess.

For example, running a simple SELECT * FROM myTable LIMIT 1; query in Athena resulted in the following error:

[Simba][AthenaJDBC](100071) An error has been thrown from the AWS Athena client. HIVE_UNSUPPORTED_FORMAT: Table StorageDescriptor is null for table 'myDatabase.myTable' {Name: myTable,DatabaseName: myDatabase,Description: ,Owner: ,Retention: 0,ViewOriginalText: ,ViewExpandedText: ,TableType: ,Parameters: {___lake_formation_authorized_columns___={ "authorizedColumns" : [ ] }, target_table_region=us-east-1, ___table_owner_account_id___=myAccountID, ___use_lakeformation_credentials___=false, __athena_nested_field_filter_enabled=true, ___use_lakeformation_row_column_security___=false},CreatedBy: ,IsRegisteredWithLakeFormation: false,TargetTable: {CatalogId: myCatalogID,DatabaseName: connect_datalake,Name: contact_record,},CatalogId: myAccountID,IsRowFilteringEnabled: false,DatabaseId: ,IsMultiDialectView: false} [Execution ID: myExecutionID]

From what I’ve discovered online and from my own attempts at fixing the issue, it seems that querying tables created as resource links requires the role to have access to:

  1. The tables themselves.
  2. The underlying tables they link to (shared by the AWS-owned account).
  3. The S3 bucket associated with the database containing these tables (2).

While I can successfully query with my admin role, QuickSight’s role cannot, despite both having the AdministratorAccess policy. It seems to only have access to the tables in my account and not the resources in the AWS-owned one.

Has anyone encountered this scenario before? I would greatly appreciate your insights!

Topics
AnalyticsMachine Learning & AI
Tags
Amazon AthenaAmazon QuickSightAWS Glue
Language
English
Haider
asked 9 months ago55 views
1 Answer
0

Based on the error message and the scenario you've described, this appears to be a Lake Formation permissions issue. Even with AdministratorAccess, Lake Formation's fine-grained access controls take precedence. Here's how you can troubleshoot and resolve this:

  1. First, verify Lake Formation permissions:
SHOW GRANTS ON TABLE myDatabase.myTable;

  1. Grant necessary Lake Formation permissions:

    • Go to the Lake Formation console
    • Under "Permissions", click "Grant"
    • For Principal, select the QuickSight service role (usually starts with "aws-quicksight-service-role-")
    • Grant these permissions:
      • SELECT
      • DESCRIBE
      • For both the resource link tables AND the target tables

  2. For the target tables (AWS-owned account tables):

GRANT SELECT, DESCRIBE ON TABLE connect_datalake.contact_record 
TO IAM_ALLOWED_PRINCIPALS;
  1. Ensure cross-account access: Add this to your QuickSight service role policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "glue:GetTable",
                "glue:GetTables",
                "glue:GetDatabase",
                "glue:GetDatabases"
            ],
            "Resource": [
                "arn:aws:glue:region:target-account-id:catalog",
                "arn:aws:glue:region:target-account-id:database/*",
                "arn:aws:glue:region:target-account-id:table/*"
            ]
        }
    ]
}
  1. Verify S3 bucket access: Make sure the QuickSight role has access to the underlying S3 bucket:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::target-bucket",
                "arn:aws:s3:::target-bucket/*"
            ]
        }
    ]
}
  1. Check Lake Formation settings:
    • Verify that "Use AWS IAM access control" is enabled for the databases
    • Ensure the resource links are properly registered in Lake Formation

If you're still having issues after implementing these steps, you can:

  1. Use AWS CloudTrail to check for any permission-related errors
  2. Verify the resource link configuration using:
SHOW CREATE TABLE myDatabase.myTable;
  1. Temporarily grant broader Lake Formation permissions to test if it's specifically a Lake Formation issue:
GRANT ALL ON DATABASE myDatabase TO IAM_ALLOWED_PRINCIPALS;

(Remember to revoke this after testing)

The error message specifically mentions "Table StorageDescriptor is null", which typically occurs when there's an issue with the resource link configuration or permissions to access the target table. Make sure the target table still exists and is accessible from your account.

profile pictureAWS
EXPERT
Sandhya Khanderia
answered 19 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content