Permission denied on S3 when using Athena on AWS console


I am logged into AWS console as administrator and trying to use Athena to read files on s3 that I don't allow public access to, but it doesn't work. budget policy is as follows, work group is The budget policy is as follows and the work group is the primary Athena SQL one. database I have confirmed that the database is using the one generated by default and that the Data lake permissions also give All permissions to the IAM user used to log in to the console and I can open and download s3 budget file.

The DDL query for the create table including the s3 LOCATION succeeds, but when I try to hit the select statement "Permission denied on s3 path: (s3 url) This query ran against the "default" database, unless qualified by the query. Please post the error message on our forum or contact customer support with Query Id: 444f5547-4c37-4e05-a4a7-d1cd67cb865d" I think this is probably because the IAM role used in the Athena query that I type in AWS console is different from the IAM user used for login, but I don't know where to refer to the Athena IAM User. (The work group in spark has IAM, but the primary in Athena SQL didn't have IAM.)

	"Version": "2012-10-17",
	"Statement": [
			"Sid": "sample",
			"Effect": "Allow",
			"Principal": {
				"AWS": [
					"IAM user login to console"
			"Action": "s3:*",
			"Resource": [
				"s3 arn",
                                "s3 arn/*"

about answer

1.About Output folder, budget policy has already been set.

2.And Glue Data Catalog Policy is configured as this.

  "Version" : "2012-10-17",
  "Statement" : [ {
    "Effect" : "Allow",
    "Principal" : {
      "AWS" : [ "my Iam user arn" ]
    "Action" : "glue:*",
    "Resource" : "arn:aws:glue:ap-northeast-1:my id number:*"
  } ]

3.I confirmed s3 is encrypted by Amazon S3 managed keys (SSE-S3). I mistaked encrypted by my KSM key. but user and administrater key policy is attach to my iam account

but same error happened on AWS management console Athena

error messages s3 url is one I wanted to read from s3. not output folder Permission denied on s3 path: (s3 url)

1 Answer

Hi there, There are few things you have to check according to

  1. IAM permission on S3 including the athena output folder in your workspace [seems that you have already done]
  2. IAM permission on Glue Data Catalog policy [missing?]
  3. IAM permission on KMS and KMS key user permission if the s3 bucket is encrypted by customer-managed key.

Hope this help.

answered 16 days ago
  • Thank you for answering question but, I cannot solve this as I commented below

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions