The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access (Query Id: b2c74c7e-21ed-4375-8712-cd1579eab9a7)

0

I tried to set up an cross-account Athena access. I could see the database in Lake formation, Glue and Athena under target account. At the beginning I don't see any tables in the target Athena console. After I did something in Lake formation console (target account) I could see a table in target Athena console and query it successfully. But I could not see other tables from the same database even I tried many ways. I always got below error even I the gave the KMS access everywhere (both KMS and IAM role) or turn off the kms encryption in Glue. I don't know what is the actual reason. Below is an example of the error message: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access. (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: cb9a754f-fc1c-414d-b526-c43fa96d3c13; Proxy: null) (Service: AWSGlue; Status Code: 400; Error Code: GlueEncryptionException; Request ID: 0c785fdf-e3f7-45b2-9857-e6deddecd6f9; Proxy: null) This query ran against the "xxx_lakehouse" database, unless qualified by the query. Please post the error message on our forum or contact customer support with Query Id: b2c74c7e-21ed-4375-8712-cd1579eab9a7. I have already added the permissions pointed out in https://repost.aws/knowledge-center/cross-account-access-denied-error-s3? Does anyone know how to fix the error and see the cross-account tables in Athena? Thank you very much.

已提問 1 年前檢視次數 1986 次
1 個回答
0
已接受的答案

Hii, Have you created the relevant resource links in your Lakeformation console of your target account? If not yet done then, please follow the given documentation and set up the shared tables in your target account. In case, both the source s3 bucket and the source table in Glue are encrypted with different KMS keys then permissions must be given to both of the keys. If both belong to different account then you will have to provide both the resource based and Identity based permissions.

In my experience, the error you are seeing arises when the Key policy of the KMS key is not properly defined such that it allows cross account access of the key. Thus, please verify it once.

It might be better if you reach out to a Premium Support engineer of Security team as they will be able to have a look at your policies and find out the exact root cause of the error.

profile pictureAWS
支援工程師
Chaitu
已回答 1 年前
  • Hi Chaitu, sorry for the late response. I did create the resource links and the key policy was also correctly defined. But it was caused by the KMS key issue because originally my s3 buckets were encrypted with S3-SSE (which does not support cross-account access) and I switched to KMS encryption after I grant the cross account access through lake formation. I finally destroyed the infrastructure and redeployed everything worked. I felt that I should change S3 encryption from S3-SSE to KMS encryption before I implemented the cross-account access. Thank you very much.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南