Unable to access Amazon Athena Query Editor

Question

While attempting to execute a query for a DCPI, I recieved the following error message which then instructed me to reach out her on this forum.

com.amazonaws.services.s3.model.AmazonS3Exception: User: arn:aws:sts::521816902950:assumed-role/DCEAFEAthenaAccessRole/lopfcesa is not authorized to perform: s3:GetObject on resource: "arn:aws:s3:::dcea-nset-curation-prod-us-east-1/dce_glacier/d_glacier_base_curated/cluster=IAD/site_name=IAD091/fw_snapshot_day=2025-05-03/part-00015-9e557f23-3e02-4a39-a222-fd3ca452c5ed.c000.snappy.parquet" because no identity-based policy allows the s3:GetObject action (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 7N5HW2QSHG0913QN; S3 Extended Request ID: OqeihnlkrHu3T8+CeSg6mg8OxAJcftVmRHCY6Bhi87XxCLU46o6t49OY2qQccP4Cdt1HEtviA4HH4MmLOIUvOmiv/pNFHMYMfOObd3sVu/A=; Proxy: null), S3 Extended Request ID: OqeihnlkrHu3T8+CeSg6mg8OxAJcftVmRHCY6Bhi87XxCLU46o6t49OY2qQccP4Cdt1HEtviA4HH4MmLOIUvOmiv/pNFHMYMfOObd3sVu/A= (Bucket: dcea-nset-curation-prod-us-east-1, Key: dce_glacier/d_glacier_base_curated/cluster=IAD/site_name=IAD091/fw_snapshot_day=2025-05-03/part-00015-9e557f23-3e02-4a39-a222-fd3ca452c5ed.c000.snappy.parquet)

Query Id: f46276b8-9f50-400c-9db3-aacb65706a10

re:Post Agent · Answer

The error message you're encountering indicates that the IAM role you're using (DCEAFEAthenaAccessRole) does not have the necessary permissions to access the S3 bucket where your Athena data is stored. Specifically, the role lacks the s3:GetObject permission for the specified S3 object.

To resolve this issue, you need to update the IAM permissions for the DCEAFEAthenaAccessRole. Here are the steps you should take:

1. Review the IAM policy attached to the DCEAFEAthenaAccessRole.

2. Ensure that the policy includes the s3:GetObject permission for the specific S3 bucket and objects that Athena needs to access. You may need to add a statement similar to this:

{
     "Effect": "Allow",
     "Action": "s3:GetObject",
     "Resource": "arn:aws:s3:::dcea-nset-curation-prod-us-east-1/*"
   }

3. If the S3 bucket is in a different AWS account, make sure that the bucket policy allows access from your account and the specific IAM role.

4. Check if there are any explicit deny statements in the IAM policies or S3 bucket policies that might be overriding the allow statements.

5. Verify that the S3 bucket and the objects within it have the correct permissions set.

6. If you're using AWS Organizations, ensure that there are no Service Control Policies (SCPs) restricting access to the S3 bucket.

After making these changes, try running your Athena query again. If you continue to experience issues, you may need to consult with your AWS administrator or the team responsible for managing IAM permissions in your organization to ensure that the correct access is granted.  
**Sources**  
[Access Denied for ATHENA | AWS re:Post](https://repost.aws/questions/QUJ1oSEboDR7mB0kQkI0IOWg/access-denied-for-athena)  
[IAM Permission issue | AWS re:Post](https://repost.aws/questions/QUvWwRlKPASu64C1ZMP9dmNw/iam-permission-issue)  
[Error: User not authorised to perform kms on AWS KMS Resource in Amazon S3 in my CodePipeline Codedeploy | AWS re:Post](https://repost.aws/questions/QUf2DBPznuShqAwb5_f_zu0A/error-user-not-authorised-to-perform-kms-on-aws-kms-resource-in-amazon-s3-in-my-codepipeline-codedeploy)

Unable to access Amazon Athena > Query Editor

Add your answer

Relevant content