LakeFormation assumed role cannot access s3 objects during Athena requests ("Permission denied on S3 path" )

Question

I have Delta Lake tables (using Symlink text input format) catalogued in Glue, stored in a S3 bucket, with all its resources tagged with LakeFormation Tags (for tag-based governance).
The problem is that, although the users can see the database, tables, and metadata within Athena's catalogue, they cannot perform queries against the specific tables because of "Permission denied on S3 path" errors.

LakeFormation has the data location registered for the datalake bucket, with AWSServiceRoleForLakeFormationDataAccess role. And this role has IAM permissions automatically added to the resources:

```
LakeFormationDataAccessServiceRolePolicy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}
```

and

```
LakeFormationDataAccessPolicyForS3
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "LakeFormationDataAccessPermissionsForS3",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::MYBUCKET/*"
            ]
        },
        {
            "Sid": "LakeFormationDataAccessPermissionsForS3ListBucket",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::MYBUCKET"
            ]
        }
    ]
}
```

I have also tried registering the data location with a role with Admin permissions (Action "*" and Resources "*"), but even so the same error is thrown.

Looking through the CloudTrail logs, I found that LakeFormation passes custom policies to the role when running AssumeRole:

```
"policy": "{
  "Version": "2012-10-17",
  "Statement": [
         {
           "Action": ["s3:GetObject"],
           "Effect": "Allow",
           "Resource": ["arn:aws:s3:::MYBUCKET",
           "Condition": {"ForAnyValue:StringLike":{"s3:prefix":["MYTABLE/_symlink_format_manifest","MYTABLE/_symlink_format_manifest/*"]}}
         },
         {
           "Action": ["kms:Decrypt"],
           "Effect": "Allow",
           "Resource": ["*"],
           "Condition": {"StringEquals":{"kms:ViaService":["s3.us-east-2.amazonaws.com"]}}
         }  ]
}"
    }
```
This seems like a malformatted json string that is being passed to the assumed role. Can this be causing the errors I'm having? And does anyone have had this issue before?

PS:
I have manually removed ACL control over the S3 bucket and objects. Still same behavior.
The error is not shown if I remove the data location, and Athena ignores Lake Formation.

Answer

Are your bucket and objects encrypted?  If your bucket and objects are encrypted, I would make sure Lakeformation has the proper access to use the KMS Key (KMS Key Policy).

LakeFormation assumed role cannot access s3 objects during Athena requests ("Permission denied on S3 path" )

Relevant questions

AWS Lake Formation: (AccessDeniedException) when calling the GetTable operation: Insufficient Lake Formation permission(s) on table

Sagemake couldn't access S3 vis athena query

Athena query: Insufficient Lake Formation permission(s): Illegal permission combination

Access denied when trying to GET objects uploaded to s3 bucket via aws sdk using cloudfront

Error Running Glue Crawler

AWS Wrangler Error HIVE_METASTORE_ERROR: Table is missing storage descriptor

Cross account access from Athena to S3

403 Access denied error from S3 in Glue

What permissions configurations are required on an S3 bucket for Athena to be able to Preview View on an object?

LakeFormation assumed role cannot access s3 objects during Athena requests ("Permission denied on S3 path" )