Home > other >  AWS - Permission denied on S3 Path
AWS - Permission denied on S3 Path

Time:05-23

I am invoking a lambda function which is querying from AWS Athena and during execution of the query I am getting this error: Permission denied on S3 path: s3://bkt_logs/apis/2020/12/16/14

Note: S3 bucket is an encrypted bucket and have attached policy to access KMS key.

These are the permission that I have given to the lambda function.

[
  {
    "Action": [
      "s3:Get*",
      "s3:List*",
      "s3:PutObject",
      "s3:DeleteObject"
    ],
    "Resource": "arn:aws:s3:::athena-query-results/*",
    "Effect": "Allow",
    "Sid": "AllowS3AccessToSaveAndReadQueryResults"
  },
  {
    "Action": [
      "s3:*"
    ],
    "Resource": "arn:aws:s3:::bkt_logs/*",
    "Effect": "Allow",
    "Sid": "AllowS3AccessForGlueToReadLogs"
  },
  {
    "Action": [
      "athena:GetQueryExecution",
      "athena:StartQueryExecution",
      "athena:StopQueryExecution",
      "athena:GetWorkGroup",
      "athena:GetDatabase",
      "athena:BatchGetQueryExecution",
      "athena:GetQueryResults",
      "athena:GetQueryResultsStream",
      "athena:GetTableMetadata"
    ],
    "Resource": [
      "*"
    ],
    "Effect": "Allow",
    "Sid": "AllowAthenaAccess"
  },
  {
    "Action": [
      "glue:GetTable",
      "glue:GetDatabase",
      "glue:GetPartitions"
    ],
    "Resource": [
      "*"
    ],
    "Effect": "Allow",
    "Sid": "AllowGlueAccess"
  },
  {
    "Action": [
      "kms:CreateGrant",
      "kms:DescribeKey"
    ],
    "Resource": [
      "*"
    ],
    "Effect": "Allow",
    "Sid": "AllowKMSAccess"
  }
]

Code snippet that I am using for querying from lambda.

const queryRequest = {
    QueryExecutionContext: {
        Database: this.databaseName
    },
    QueryString: query,
    ResultConfiguration: {
        OutputLocation: 's3://athena-query-results'
    },
    WorkGroup: this.workgroup
};

const queryExecutionId = await this.athenaService.startQueryExecution(queryRequest);

The bucket bkt_logs is the bucket which is used by AWS Glue Crawlers to populate Athena table on which I am querying on.

Am I missing something here?

CodePudding user response:

I was able to resolve the issue.

Athena requires access to the bucket and also to the folders and subfolders. So, after updating my S3 policy to allow access to the bucket I was able to resolve the issue.

 {
    "Action": [
      "s3:*"
    ],
    "Resource": [
      "arn:aws:s3:::bkt_logs",
      "arn:aws:s3:::bkt_logs/*"
    ],
    "Effect": "Allow",
    "Sid": "AllowS3AccessForGlueToReadLogs"
  }
  • Related