AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

Access Denied for ATHENA

Hi team, Getting this error while runninng query in athena

com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: DN9ZNSDSC5ESES3Z; S3 Extended Request ID: FWdDoyX4RXGKTzwAB+5IGvOIlGQRiIuOPznGB5HQ4leHUWC7PBoge6GD9YFbaV5I6hD7WWM9pK8=; Proxy: null), S3 Extended Request ID: FWdDoyX4RXGKTzwAB+5IGvOIlGQRiIuOPznGB5HQ4leHUWC7PBoge6GD9YFbaV5I6hD7WWM9pK8= (Bucket: cairns-unpartitioned-empty-table-bucket, Key: 24e7d286-cb41-48c5-999b-ae4aa56aa99d)

Using same IAM role and policy previously it worked fine

Topics: Analytics Management & Governance Storage Security, Identity, & Compliance
Tags: AWS Command Line Interface AWS Identity and Access Management IAM Policies Amazon Athena Amazon Simple Storage Service
Language: English

rePost-User-3101231

asked a year ago237 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

It's impossible to understand or help without additional info, it would be really helpful if you can post the policy configured in the role, and the cloudtrail error (remove info like account numbers).

Thanks!

JuanEn_G

answered a year ago

EXPERT

Gary Mclean

reviewed a year ago

rePost-User-3101231
a year ago
This the service role policy which is created when we create resource for subscription

{ "Version": "2012-10-17", "Statement": [ { "Action": [ "lakeformation:BatchGrantPermissions", "lakeformation:BatchRevokePermissions", "lakeformation:DeregisterResource", "lakeformation:DescribeResource", "lakeformation:GetDataAccess", "lakeformation:GetDataLakeSettings", "lakeformation:GetEffectivePermissionsForPath", "lakeformation:GrantPermissions", "lakeformation:ListPermissions", "lakeformation:ListResources", "lakeformation:RegisterResource", "lakeformation:RevokePermissions", "lakeformation:UpdateResource", "ram:AcceptResourceShareInvitation", "ram:GetResourceShareInvitations", "ram:ListPendingInvitationResources" ], "Resource": "*", "Effect": "Allow" },
rePost-User-3101231
a year ago
{ "Action": [ "kms:GenerateDataKey*", "kms:CreateKey*", "kms:CreateAlias", "kms:DescribeKey", "glue:CreateDatabase", "glue:DeleteDatabase", "glue:GetDatabase", "glue:GetDatabases", "glue:UpdateDatabase", "glue:CreateTable", "glue:DeleteTable", "glue:BatchDeleteTable", "glue:UpdateTable", "glue:GetTable", "glue:GetTables", "glue:BatchCreatePartition", "glue:CreatePartition", "glue:DeletePartition", "glue:BatchDeletePartition", "glue:UpdatePartition", "glue:GetPartition", "glue:GetPartitions", "glue:BatchGetPartition", "redshift:DescribeClusters", "redshift:ModifyClusterIamRoles" ], "Resource": "", "Effect": "Allow" }, { "Action": [ "s3:" ], "Resource": "arn:aws:s3:::bdt-glue-bucket-34c8f298-82ba-e3ac-db5e-7262641084db/*", "Effect": "Allow" }, { "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3:::bdt-glue-bucket-34c8f298-82ba-e3ac-db5e-7262641084db", "Effect": "Allow" },
rePost-User-3101231
a year ago
{ "Action": [ "redshift:RejectDataShare", "redshift:AuthorizeDataShare", "redshift:DeauthorizeDataShare", "redshift:AssociateDataShareConsumer", "redshift:DisassociateDataShareConsumer" ], "Resource": "arn:aws:redshift:::datashare:/", "Effect": "Allow" }, { "Action": [ "redshift-data:BatchExecuteStatement", "redshift-data:ExecuteStatement" ], "Resource": [ "arn:aws:redshift:us-east-1:accountId:cluster:", "arn:aws:redshift-serverless:us-east-1:accountId:workgroup/" ], "Effect": "Allow" }, { "Action": [ "redshift:GetClusterCredentials" ], "Resource": [ "arn:aws:redshift:us-east-1:accountId:dbuser:/", "arn:aws:redshift:us-east-1:accountId:dbname:/" ], "Effect": "Allow" }, { "Action": [ "redshift-serverless:GetCredentials", "redshift-serverless:ListWorkgroups", "redshift-serverless:GetNamespace", "redshift-data:CancelStatement", "redshift-data:DescribeStatement", "redshift-data:GetStatementResult", "redshift-data:ListStatements", "redshift-data:ListDatabases", "redshift:DescribeDataShares", "redshift:DescribeDataSharesForProducer", "redshift:DescribeDataSharesForConsumer" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "iam:PassRole", "iam:GetRole", "iam:GetRolePolicy" ], "Resource": "arn:aws:iam::accountId:role/bdt-glue-role-us-east-1", "Effect": "Allow" } ] }

Relevant content

Getting Access Denied error while querying a Glue Table using Athena
Accepted Answer
Vinay
asked 2 years ago
S3 Access Denied when querying Glue Tables in Athena
bhorvic
asked 2 years ago
Access denied 403 Error while uploading to S3 bucket in production (Working locally)
Accepted Answer
rePost-User-2773615
asked 2 years ago
Access Denied (Service: S3, Status Code: 403)
rePost-User-0048491
asked 2 years ago
Why do I get the AmazonS3Exception "Access Denied with Status Code: 403" in Amazon Athena when I query a bucket in another account?
AWS OFFICIALUpdated 2 years ago
How do I resolve "Access Denied" permission errors when I run a query in Athena?
AWS OFFICIALUpdated 7 months ago
How do I troubleshoot 403 Access Denied errors from an Amazon S3 bucket with public read access?
AWS OFFICIALUpdated 2 years ago
Why do I get "403 Access Denied" errors when I use an S3 REST API endpoint as the origin of my CloudFront distribution?
AWS OFFICIALUpdated 7 months ago
Troubleshoot 403 Access Denied error in Amazon S3
EXPERT
Gayathri Krishnamoorthy
published 3 years ago
Why Does S3 Return 403 Instead of 404 When the Object Doesn’t Exist?
EXPERT
Tyler
published 2 years ago

Access Denied for ATHENA

Add your answer

Relevant content