By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to cross account access a Athena from a lambda?

0

Hi,

I need to cross account access a Athena that is in another aws account, from my lambda. If I understood correctly, the steps should be the following:

  • I need to pass them the arn of my lambda;
  • On their side, they need to create a IAM role that gives the correct permission to access the Athena, based on the provided arn;
  • Now they need to pass to me the arn of that created IAM role, so in my code, I use the sts sdk to assume the role of that created IAM role, so I can fetch the credentials to interact with their Athena;

My question is, is there something similar like the bucket policies that exists for s3, but for Athena? The best thing about the s3 bucket policy is that we don't have to assume roles, because the user/role is given access directly by the bucket policy, so I don't have to create extra code to assume roles.

Also, I think I can't make the lambda itself change it's execution role for the IAM role they created, as my lambda also needs to access other resources from the account that is hosting the lambda, like a dynamodb.

If possible I would like to avoid making extra code just to cross account access the Athena that is in another AWS account, but if so I just wanted to make sure that's the only way

  • Edit: grammar
Topics
AnalyticsServerlessComputeSecurity, Identity, & Compliance
Tags
Amazon AthenaAWS LambdaAWS Identity and Access ManagementIAM Policies
Language
English
Fkos
asked 10 months ago389 views
1 Answer
2
Accepted Answer

  1. Lambda execution role(Account A) should have access to assumerole(Account B role Where Athena tables exist)

  2. Account B role should have trust relationship for Account A and lambda as service.

  3. Account B role should have access to S3 bucket(where query results get saved)

  4. Once lambda in Account A assumes Account B role inside code through sdk/boto3, those returned credentials would be used to query athena in Account B and for other resource access in Account A, lambda execution role would still be used.

Code snippet in lambda should like like something as below but can be tweaked per requirement:

  sts_connection = boto3.client('sts')
  assume_role_account_a = sts_connection.assume_role( RoleArn="arn:aws:iam::AccountB:role/CrossAccountAthenaAccess-Role", RoleSessionName="cross_acct_athena" )

I'd suggest you to follow this Knowledge Article step by step, it would certainly help you to understand how would lambda assume role of other AWS account.

On your other question, if Athena has any resource policy like S3, so the answer is No, athena is a server less querying service. Refer this Documetation, where it's clearly mentioned that Athena doesn't support resource based policies.

If you want to practice Lambda Cross Account IAM Assumption beforehand, take a look at this Well Architected Lab.

profile pictureAWS
EXPERT
secondabhi_aws
answered 10 months ago
profile picture
EXPERT
JimmyDqv
reviewed 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content