CODEWITHSUNDEEP
amazon-web-servicesamazon-s3amazon-athenaaws-glue
S7H
S7H

Reputation: 1635

AWS - Permission denied on S3 Path

I am invoking a lambda function which is querying from AWS Athena and during execution of the query I am getting this error: Permission denied on S3 path: s3://bkt_logs/apis/2020/12/16/14

Note: S3 bucket is an encrypted bucket and have attached policy to access KMS key.

These are the permission that I have given to the lambda function.

[
  {
    "Action": [
      "s3:Get*",
      "s3:List*",
      "s3:PutObject",
      "s3:DeleteObject"
    ],
    "Resource": "arn:aws:s3:::athena-query-results/*",
    "Effect": "Allow",
    "Sid": "AllowS3AccessToSaveAndReadQueryResults"
  },
  {
    "Action": [
      "s3:*"
    ],
    "Resource": "arn:aws:s3:::bkt_logs/*",
    "Effect": "Allow",
    "Sid": "AllowS3AccessForGlueToReadLogs"
  },
  {
    "Action": [
      "athena:GetQueryExecution",
      "athena:StartQueryExecution",
      "athena:StopQueryExecution",
      "athena:GetWorkGroup",
      "athena:GetDatabase",
      "athena:BatchGetQueryExecution",
      "athena:GetQueryResults",
      "athena:GetQueryResultsStream",
      "athena:GetTableMetadata"
    ],
    "Resource": [
      "*"
    ],
    "Effect": "Allow",
    "Sid": "AllowAthenaAccess"
  },
  {
    "Action": [
      "glue:GetTable",
      "glue:GetDatabase",
      "glue:GetPartitions"
    ],
    "Resource": [
      "*"
    ],
    "Effect": "Allow",
    "Sid": "AllowGlueAccess"
  },
  {
    "Action": [
      "kms:CreateGrant",
      "kms:DescribeKey"
    ],
    "Resource": [
      "*"
    ],
    "Effect": "Allow",
    "Sid": "AllowKMSAccess"
  }
]

Code snippet that I am using for querying from lambda.

const queryRequest = {
    QueryExecutionContext: {
        Database: this.databaseName
    },
    QueryString: query,
    ResultConfiguration: {
        OutputLocation: 's3://athena-query-results'
    },
    WorkGroup: this.workgroup
};

const queryExecutionId = await this.athenaService.startQueryExecution(queryRequest);

The bucket bkt_logs is the bucket which is used by AWS Glue Crawlers to populate Athena table on which I am querying on.

Am I missing something here?

Upvotes: 3

Views: 11432

Answers (1)

S7H
S7H

Reputation: 1635

I was able to resolve the issue.

Athena requires access to the bucket and also to the folders and subfolders. So, after updating my S3 policy to allow access to the bucket I was able to resolve the issue.

 {
    "Action": [
      "s3:*"
    ],
    "Resource": [
      "arn:aws:s3:::bkt_logs",
      "arn:aws:s3:::bkt_logs/*"
    ],
    "Effect": "Allow",
    "Sid": "AllowS3AccessForGlueToReadLogs"
  }

Upvotes: 3

Related Questions