Reputation: 101
Query Delta Lake Table using Athena using SymlinkTextInputFormat
Problem summary: Failure to query data via AWS Athena on a Delta Lake table (in S3). I believe the problem happens specifically if the account has Lake Formation enabled.
Steps to replicate:
- Make sure you do this in a new AWS account, or an account which doesn't have Lake Formation enabled yet. For simplicity, just use admin permissions when logged in to the account.
- Upload a sample delta lake table. Take the contents of the directory here, and upload it to an S3 bucket (SSE-S3 encrypted) of your choice
- Make sure to update the content of the _symlink_format_manifest/manifest file to reflect your bucket name
- Setup a new Athena table (update $bucket and $prefix below)
CREATE EXTERNAL TABLE `superstore_delta`(
`Category` string,
`SubCategory` string,
`Sales` string)
ROW FORMAT SERDE
'org.apache.hadoop.hive.ql.io.parquet.serde.ParquetHiveSerDe'
STORED AS INPUTFORMAT
'org.apache.hadoop.hive.ql.io.SymlinkTextInputFormat'
OUTPUTFORMAT
'org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat'
LOCATION
's3://$bucket/$prefix/_symlink_format_manifest/'
- Query the table, and you will see 20 rows of data
- Now navigate to Lake Formation
- Since it's your first time there in this account, you'll need to set yourself as admin
- Go to "Data lake locations", and register your S3 bucket as a location
- Provide access to the superstore_delta table for your principal (using LF Tags)
- Query the table in Athena again. Now you will get this error:
Permission denied on S3 path: s3a://$bucket/superstore_delta/part-00000-81186b2b-ee07-4543-ab15-8c8cfce2ed0d-c000.snappy.parquet
Anyone else faced this issue while working with Delta Lake tables + Lake Formation?
P.S. The querying works if I use a completely unencrypted S3 bucket, even with Lake Formation enabled
Upvotes: 1
Views: 2921
Answers (2)
Reputation: 1
Based on the latest news, it seems that lake formation now support Table, column, row, and cell-level permissions for symlink tables.https://docs.aws.amazon.com/lake-formation/latest/dg/athena-lf.html
Upvotes: 0
Reputation: 324
Most likely IAM role associated with Amazon S3 path (the one you are specifying in AWS Lake formation -> Data Lake location) was not explicitly added to S3 bucket resource policy with S3 Read permissions. So this should be not the role you are querying with in Athena but the role associated with S3 location in Lake formation.
Upvotes: 0
Related Questions
- Can AWS Glue crawl Delta Lake table data?
- How to set up Spark SQL to work with Delta Lake tables with Glue metastore?
- Can Glue Crawler crawl the deltalake files to create tables in aws glue catalogue?
- "Permission denied" error when sending a query with Athena
- Spark SQL queries against Delta Lake Tables using Symlink Format Manifest
- Athena reports "Insufficient permissions to execute the query. Caller does not have full access to table"
- PySpark Delta Table - generate symlink [java.lang.NoSuchMethodError]
- Read /Write delta lake tables on S3 using AWS Glue jobs
- Querying Athena tables in AWS Glue Python Shell
- Querying across S3 buckets using Athena