By using AWS re:Post, you agree to the Terms of Use
/Access Denied Error in Athena query file/

Access Denied Error in Athena query file

0

I have a S3 bucket with some AVRO formatted files, I have successfully been through the steps to create a table based on the AVRO schema in Athena and can run SQL queries on the data that return a successful "Completed" response but no data is returned, In the query result bucket i have specified a csv file is created for each query that contains a Error xml block and a "Access Denied" message. I believe i have set up the bucket policy correctly, i am attempting to run this query on an user that is under the same account ID that the bucket was created in, so that seems like it should be straight forward. but it is not working for me and the lack of errors in Athena are confusing. I am stuck right now on what i have not set up correctly.

1 Answers
0

Looks like you don't have sufficient permissions to write the results to the query result bucket. Please refer the following link for more details, and it could be any of the reasons listed below...

"You get an "Access Denied" error usually because of the following reasons:

  1. The AWS Identity and Access Management (IAM) user doesn't have one or more of the following permissions:
  • Read the source data bucket.
  • Write the results to the query result bucket.*
  1. The Amazon Simple Storage Service (Amazon S3) bucket policies don't allow the required permissions to the IAM user.
  2. The object owner is different from the Amazon S3 bucket owner.
  3. You don't have access to the AWS Key Management Service (AWS KMS) key that's used to read or write the encrypted data.
  4. The AWS Glue Data Catalog policy doesn't allow access to the IAM user."

Check out the link for more details regarding the potential issues and how to solve them... https://aws.amazon.com/premiumsupport/knowledge-center/access-denied-athena/

answered a month ago
  • Thank you for the reply, so just for my understanding, if the use that made the bucket and is executing the query has the Athena and S3 full access policies attached via a group, is that not enough or does it need to be explicit to the exact resource im using, in this case a particular s3 bucket?

  • You also need to check the S3 bucket policies to make sure the user has access to the bucket(s). If the user has access to Athena and S3 but the S3 bucket policy doesn't give the user permissions to read/write to the buckets, you'll get the 'Access Denied' error. Also, check all the possible reasons why you can get the error in Athena in the link posted above and which I've enumerated below...

    "You get an "Access Denied" error usually because of the following reasons:

    1. The AWS Identity and Access Management (IAM) user doesn't have one or more of the following permissions: 1a. Read the source data bucket. 1b. Write the results to the query result bucket.
    2. The Amazon Simple Storage Service (Amazon S3) bucket policies don't allow the required permissions to the IAM user.
    3. The object owner is different from the Amazon S3 bucket owner.
    4. You don't have access to the AWS Key Management Service (AWS KMS) key that's used to read or write the encrypted data.
    5. The AWS Glue Data Catalog policy doesn't allow access to the IAM user."
  • As indicated in the follow up comment there might be more reasons why you get a Access Denied, and based on the fact that the query runs it is the result bucket that might have issues, the user need write access to the query result bucket but also to the KMS key if it is encrypted

    The answer might. be more readable if expanded directly with some of the information added in the foloow up comment.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions