The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access (Query Id: b2c74c7e-21ed-4375-8712-cd1579eab9a7)


I tried to set up an cross-account Athena access. I could see the database in Lake formation, Glue and Athena under target account. At the beginning I don't see any tables in the target Athena console. After I did something in Lake formation console (target account) I could see a table in target Athena console and query it successfully. But I could not see other tables from the same database even I tried many ways. I always got below error even I the gave the KMS access everywhere (both KMS and IAM role) or turn off the kms encryption in Glue. I don't know what is the actual reason. Below is an example of the error message: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access. (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: cb9a754f-fc1c-414d-b526-c43fa96d3c13; Proxy: null) (Service: AWSGlue; Status Code: 400; Error Code: GlueEncryptionException; Request ID: 0c785fdf-e3f7-45b2-9857-e6deddecd6f9; Proxy: null) This query ran against the "xxx_lakehouse" database, unless qualified by the query. Please post the error message on our forum or contact customer support with Query Id: b2c74c7e-21ed-4375-8712-cd1579eab9a7. I have already added the permissions pointed out in Does anyone know how to fix the error and see the cross-account tables in Athena? Thank you very much.

asked 5 days ago30 views
1 Answer

Hii, Have you created the relevant resource links in your Lakeformation console of your target account? If not yet done then, please follow the given documentation and set up the shared tables in your target account. In case, both the source s3 bucket and the source table in Glue are encrypted with different KMS keys then permissions must be given to both of the keys. If both belong to different account then you will have to provide both the resource based and Identity based permissions.

In my experience, the error you are seeing arises when the Key policy of the KMS key is not properly defined such that it allows cross account access of the key. Thus, please verify it once.

It might be better if you reach out to a Premium Support engineer of Security team as they will be able to have a look at your policies and find out the exact root cause of the error.

profile picture
answered 4 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions