When I try to run the following query via the Athena JDBC Driver
describe gitlab.issues
I get the following error:
[Simba]AthenaJDBC An error has been thrown from the AWS Athena client. FAILED: SemanticException Unable to fetch table gitlab. Insufficient Lake Formation permission(s) on gitlab (Service: AmazonDataCatalog; Status Code: 400; Error Code: AccessDeniedException; Request ID: be6aeb1b-fc06-410d-9723-2df066307b35; Proxy: null) [Execution ID: a2534d22-c4df-49e9-8515-80224779bf01]
the following query works:
select * from gitlab.issues limit 10
The role that is used has the DESCRIBE permission on the gitlab database and DESCRIBE, SELECT permissions on the table issues. It also has the following IAM permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"athena:BatchGetNamedQuery",
"athena:BatchGetQueryExecution",
"athena:CreatePreparedStatement",
"athena:DeletePreparedStatement",
"athena:GetDataCatalog",
"athena:GetDatabase",
"athena:GetNamedQuery",
"athena:GetPreparedStatement",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:GetTableMetadata",
"athena:GetWorkGroup",
"athena:ListDatabases",
"athena:ListNamedQueries",
"athena:ListPreparedStatements",
"athena:ListDataCatalogs",
"athena:ListEngineVersions",
"athena:ListQueryExecutions",
"athena:ListTableMetadata",
"athena:ListTagsForResource",
"athena:ListWorkGroups",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:UpdatePreparedStatement"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"glue:BatchGetCustomEntityTypes",
"glue:BatchGetPartition",
"glue:GetCatalogImportStatus",
"glue:GetColumnStatisticsForPartition",
"glue:GetColumnStatisticsForTable",
"glue:GetCustomEntityType",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetPartition",
"glue:GetPartitionIndexes",
"glue:GetPartitions",
"glue:GetSchema",
"glue:GetSchemaByDefinition",
"glue:GetSchemaVersion",
"glue:GetSchemaVersionsDiff",
"glue:GetTable",
"glue:GetTableVersion",
"glue:GetTableVersions",
"glue:GetTables",
"glue:GetUserDefinedFunction",
"glue:GetUserDefinedFunctions",
"glue:ListCustomEntityTypes",
"glue:ListSchemaVersions",
"glue:ListSchemas",
"glue:QuerySchemaVersionMetadata",
"glue:SearchTables"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": "athena.amazonaws.com"
}
},
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::aws-athena-query-results-123456789012-eu-west-1",
"arn:aws:s3:::aws-athena-query-results-123456789012-eu-west-1/*",
"arn:aws:s3:::aws-athena-federation-spill-123456789012-eu-west-1",
"arn:aws:s3:::aws-athena-federation-spill-123456789012-eu-west-1/*"
],
"Effect": "Allow"
},
{
"Action": [
"lakeformation:CancelTransaction",
"lakeformation:CommitTransaction",
"lakeformation:DescribeResource",
"lakeformation:DescribeTransaction",
"lakeformation:ExtendTransaction",
"lakeformation:GetDataAccess",
"lakeformation:GetQueryState",
"lakeformation:GetQueryStatistics",
"lakeformation:GetTableObjects",
"lakeformation:GetWorkUnitResults",
"lakeformation:GetWorkUnits",
"lakeformation:StartQueryPlanning",
"lakeformation:StartTransaction"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": "athena.amazonaws.com"
}
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:*:*:function:athena-federation-*",
"Effect": "Allow"
},
{
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": "athena.amazonaws.com"
}
},
"Action": ["s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket"],
"Resource": "*",
"Effect": "Allow"
}
]
}
even if I make the role a LakeFormation Admin, Database Creator, assign Super Permissions to the table and database and add the AdministratorAccess IAM Policy to the role it still fails.
AWS OFFICIALUpdated 2 months ago
