Cross-Account Connect Athena (account X) to Glue + S3 (account Y)

0

Hello,

This question https://repost.aws/questions/QUSdk1j9-FT02t91W3AU0Qng/cross-account-access-from-athena-to-s-3 from 3 years ago sims to be similar. I did all that is suggested appart from using Lake Formation. I wanted to try and create the permissions manually first.

Account Y: I have JSON data in an S3 and used Glue to create the catalog in account Y. I configured this owner account such as Step 1.a https://docs.aws.amazon.com/athena/latest/ug/security-iam-cross-account-glue-catalog-access.html I also configured the S3 bucket according to "Apply a cross-account bucket policy" from https://tomgregory.com/s3-bucket-access-from-the-same-and-another-aws-account/

Account X: I want to configure Athena to query S3 using the catalog created by Glue I configured this borrower account such as Step 1.b https://docs.aws.amazon.com/athena/latest/ug/security-iam-cross-account-glue-catalog-access.html I also configured the IAM Policies according to "Apply a cross-account bucket policy" from https://tomgregory.com/s3-bucket-access-from-the-same-and-another-aws-account/ Both S3 and Glue Policies are attached to the concerned users in this account.

Problem: In account X, Athena is capable of accessing Glue and it displays Database, Tables and the catalog. However when I run a query (a same successful query made in account Y) I get the error

Permission denied on S3 path: s3://asdf
This query ran against the "dbname" database, unless qualified by the query. Please post the error message on our forum
or contact customer support
with Query Id: a3a3a3a...

Apparently, I'm missing a S3 permission but I can't find information about it

Any help is much appreciated.

Thanks,

asked 5 months ago72 views
No Answers

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions