Cross-Account S3 Tables Access Issue: AssumeRole Cannot Find s3tablescatalog
Problem Description:
I'm trying to query S3 Tables across AWS accounts using AssumeRole, but encountering catalog access issues.
Environment:
- Account A (Source): 544459981429 - where I initiate the request
- Account B (Target): 862998707484 - where S3 Tables resources exist
- S3 Tables Catalog:
s3tablescatalog/aws-s3 - Namespace:
b_dingyi-integ-862998707484 - Table:
inventory
What Works:
✅ Direct access using Account B's Admin role works perfectly:
aws athena start-query-execution
--query-string "SELECT COUNT(*) FROM "s3tablescatalog/aws-s3"."b_dingyi-integ-862998707484"."inventory""
--result-configuration OutputLocation=s3://athena-queries-testing-artifact-862998707484/athena-query-results/
--work-group primary
--region us-west-2
What Fails:
❌ AssumeRole from Account A to Account B fails with: CATALOG_NOT_FOUND: Catalog 's3tablescatalog/aws-s3' does not exist
Policies Attached to AssumeRole:
AmazonAthenaFullAccessAmazonS3FullAccessAmazonS3TablesFullAccessAmazonS3TablesLakeFormationServiceRoleAmazonS3TablesReadOnlyAccessAWSGlueConsoleFullAccessAWSGlueServiceRole
Question:
What additional permissions or configurations are needed for cross-account S3 Tables access via AssumeRole? The role seems to have all relevant S3 Tables permissions, but still cannot see the catalog.
- Language
- English
- Newest
- Most votes
- Most comments
When accessing S3 Tables across AWS accounts using AssumeRole, there are specific steps you need to follow beyond just having the right IAM permissions. The issue you're encountering with "CATALOG_NOT_FOUND" suggests that while you have the necessary IAM policies attached to your role, you're missing the required resource links and cross-account permissions setup.
Here's what you need to do:
- Create a resource link in Account A (544459981429) to the shared database in Account B (862998707484). This is a crucial step that connects your account to the shared resources.
You can create this resource link using AWS Glue with a command similar to:
aws glue create-database
--region us-west-2
--catalog-id "544459981429"
--database-input '{
"Name": "b_dingyi_resourcelink",
"TargetDatabase": {
"CatalogId": "862998707484:s3tablescatalog/aws-s3",
"DatabaseName": "b_dingyi-integ-862998707484"
},
"CreateTableDefaultPermissions": []
}'
- Ensure cross-account permissions are granted on the table in Account B. The owner of Account B needs to grant permissions to your role in Account A:
aws lakeformation grant-permissions
--region us-west-2
--principal DataLakePrincipalIdentifier=arn:aws:iam::544459981429:role/YourAssumeRoleName
--resource Table='{
"CatalogId": "862998707484:s3tablescatalog/aws-s3",
"DatabaseName": "b_dingyi-integ-862998707484",
"Name": "inventory"
}'
--permissions ALL
- Grant DESCRIBE permission on the resource link in Account A:
aws lakeformation grant-permissions
--region us-west-2
--principal DataLakePrincipalIdentifier=arn:aws:iam::544459981429:role/YourAssumeRoleName
--resource Database='{CatalogId=544459981429, Name=b_dingyi_resourcelink}'
--permissions DESCRIBE
-
Check S3 bucket policies to ensure Account A has access to any underlying S3 data. The bucket policy should include a statement allowing access from Account A's role.
-
Verify Object Ownership settings in the S3 bucket. If objects were uploaded by different accounts, ensure the Object Ownership setting is "Bucket owner enforced" to avoid access issues.
After completing these steps, you should be able to query the S3 Tables using your AssumeRole from Account A. Instead of directly referencing the catalog in Account B, you would query using the resource link you created in Account A.
Sources
Accessing shared Amazon S3 tables - AWS Lake Formation
Configure cross-account access in Athena to Amazon S3 buckets - Amazon Athena
Why can't my S3 File Gateway access objects uploaded by cross-account users? | AWS re:Post
Relevant content
- asked a year ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
