Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Glue and Cloudformation Cross account access error

0

I am attempting to create a Glue Table within a Cloudformation Stack. I am getting the following error:

Cross account access is not supported for account that hasn't imported Athena catalog to Glue. Please refer to documentation: https://docs.aws.amazon.com/athena/latest/ug/glue-upgrade.html (Service: AWSGlue; Status Code: 400; Error Code: AccessDeniedException; Request ID: e7439225-9a53-4594-84a4-0201c9e0eb94; Proxy: null)

I am using a User Account with broad IAM permissions to create the Stack (e.g. glue:*, athena:*, s3:*). The link in the error does not include a viable solution as I am already using Athena and Glue together. I am also able to access the database from the AWS-CLI using the User Account (including creating a glue table).

I have attempted to search for the error, but the closest results seem to be for allowing another account to access your account's Athena database, whereas this is all contained within the same account. Nevertheless, I followed the instructions (adding Permissions to the Data Catalog Settings) to no avail. These results were for similarly worded errors, but I was unable to locate any results describing this exact error (currently the only result on Google with this error is my own question on SO).

Here is a snippet from my Cloudformation:

Type: AWS::Glue::Table
    Properties:
      CatalogId: AwsDataCatalog
      DatabaseName: !Sub 'db_{BucketName}'
      TableInput:
        Name: 'tbl_${LocalName}'
        Description: !Sub 'Glue Table for {LocalName}'
        TableType: EXTERNAL_TABLE
        Parameters:
          EXTERNAL: TRUE
        PartitionKeys:
          - Name: groupid
            Type: smallint
          - Name: dt
            Type: date
        StorageDescriptor:
          Location: !Sub 's3://${BucketName}/${LocalName}/'
          InputFormat: org.apache.hadoop.mapred.TextInputFormat
          OutputFormat: org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat
          SerdeInfo:
            SerializationLibrary: org.apache.hadoop.hive.serde2.OpenCSVSerde
            Parameters: 
              escapeChar: '\\'
              quoteChar: '\"'
              separatorChar: ','
          Parameters: {}
          Columns:
            - Name: traceID
              Type: int
....

Any help would be greatly appreciated.

Topics
AnalyticsManagement & GovernanceSecurity, Identity, & Compliance
Tags
AWS Identity and Access ManagementAWS GlueAWS CloudFormationAmazon Athena
Language
English
asked 3 years ago1K views
2 Answers
1
Accepted Answer

After contacting AWS support, I found the solution, so I'm posting it here in case anyone else encounters this problem in the future. The CatalogId is the AccountID, and not the name of the Catalog as seen in the Athena Console. The solution was to replace the third line of the template I provided:

Type: AWS::Glue::Table
    Properties:
      CatalogId: !Sub '${AWS::AccountId}'
      DatabaseName: !Sub 'db_{BucketName}'
      TableInput:
        Name: 'tbl_${LocalName}'
....
answered 3 years ago
EXPERT
reviewed 2 years ago
EXPERT
reviewed 2 years ago
0

Start at 'Granting Cross Account Access' in the AWS Glue Developer Guide https://docs.aws.amazon.com/glue/latest/dg/cross-account-access.html#cross-account-limitations. Either resource policy or an IAM role policy. I can't tell from your Cloudformation snippet how your current access is configured.

Then check the limitations and access configurations in 'Fine-grained access to databases and tables in the AWS Glue Data Catalog' from the Amazon Athena User Guide. https://docs.aws.amazon.com/athena/latest/ug/fine-grained-access-to-glue-resources.html

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content