Reputation: 477
"Permission denied" error when sending a query with Athena
Want to Achieve
I would like to execute a SELECT statement in AWS Athena, but I am getting the following error.
Glue catalog is ready, meta information is ready, DDL can be displayed.
I would appreciate it if you could tell me how to make the query work properly.
SELECT * FROM "table_name" limit 10;
↓
Permission denied on S3 path: s3://backet_name/falder_name/db_name/table_name/parquet_name
error_message
"errorCode":"AccessDenied",
"errorMessage":"User: arn:aws:sts::<Account_ID>:assumed-role/AWSServiceRoleForLakeFormationDataAccess/AWSLF-00-AT-<Account_ID>-OSSm3ywcAP is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-northeast-1:<Account_ID>:key/○○ because no resource-based policy allows the kms:Decrypt action"
Environment
On AWS RDS snapshots are exported to S3 and crawled by Glue to create a data catalog. In addition, we are using AWS LakeFormation to manage the data.
Setup
AWServiceRoleForLakeFormationDataAccess
"AWServiceRoleForLakeFormationDataAccess" is set as the crawler's service role.
Policies allowed for this role include.
・AWSGlueServiceRole
・AmazonS3ReadOnlyAccess
・kms-decrypt-policy
・LakeFormationGetPolicy
kms-decrypt-policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "*"
}
]
}
LakeFormationGetPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lakeformation:GetResourceLFTags",
"lakeformation:GetDataAccess",
"lakeformation:ListLFTags",
"lakeformation:GetLFTag"
],
"Resource": "*"
}
]
}
Athena Execution User(datalake_user)
Attached Policies
・AmazonAthenaFullAccess
・AmazonS3FullAccess
・KMSFullAccessPolicy
Lake Formation > Permissions
LF-Tags
AWS Lake Formation > Grant permissions > Grant data permissions
AWS Lake Formation > Databases > db_sample_for_athena
Upvotes: 3
Views: 4136
Answers (1)
Reputation: 477
Attaching KMS to AWServiceRoleForLakeFormationDataAccess solved the problem.
Upvotes: 2
Related Questions
- AWS Glue cannot create database from crawler: permission denied
- Athena query fails with: "Insufficient permissions to execute the query"
- GlueJobRunnerSession is not authorized to perform: lakeformation:GetDataAccess on resource
- Fetching data from Athena and glue permissions
- Athena reports "Insufficient permissions to execute the query. Caller does not have full access to table"
- Access Denied when querying in Athena for data in S3 bucket in another AWS account
- Cross-account access to AWS Glue Data Catalog via Athena
- Athena Query fails after adding S3 bucket to Lake Formation
- Athena permission denied while executing a query
- AWS athena + Glue initial query issue