External account share with lake formation causing errors when trying to query with Athena in consumer account

0

I have two accounts the source account A and the target account B.

I have granted account B access to the database and all its tables in account A with Super access including grant. and accepted this on RAM in account B.

In account B I can now see the database and have created a resource_link for the database with the table inside it. I have also granted my user "lake-formation-admin" access to this database and table.

The data catalogue settings in account A & B are; Use only IAM access control for new databases: OFF Use only IAM access control for new tables in new databases: OFF Version: 4

When I try to query my table in athena using my lake-formtion-admin account or my root account I get the same error

com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: #########; S3 Extended Request ID: #################; Proxy: null), S3 Extended Request ID: ############################### (Bucket: {my bucket name}, Key: {my key path}) This query ran against the {resource link database name} database, unless qualified by the query. Please post the error message on our forum or contact customer support with Query Id: f9ae765c-ce70-4ea5-82a2-3871b463ef95

It does work if I put a bucket policy in account A on my bucket to specifically allow my role in Account B. But I want to access using Lake Formation Permissions, surely you don't need a bucket policy to get this to work?

1 Answer
0
Accepted Answer

Can you please confirm if your s3 path is registered in account A lake formation. If not, lake formation will not vend credentials to access data. Register[1] your table S3 path (or entire bucket) in lake formation and try running the query again in account B. Also make sure IAM role associated when registering the path has all the permissions listed in the doc[2].

[1] https://docs.aws.amazon.com/lake-formation/latest/dg/register-data-lake.html [2] https://docs.aws.amazon.com/lake-formation/latest/dg/registration-role.html

Yes you are right, it is not required to provide cross-account access to s3 bucket if the s3 path is registered in lake formation.

AWS
answered 7 months ago
  • Thank you Sachin, that was indeed the solution. One of the preliminary steps missed haha! have a great weekend :)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions