“许可被拒绝”使用 Athena 发送查询时出错
想要实现
我想在 AWS Athena 中执行 SELECT 语句,但收到以下错误。
Glue目录已准备好,元信息已准备好,DDL可以显示。
如果您能告诉我如何使查询正常工作,我将不胜感激。
SELECT * FROM "table_name" limit 10;
↓
Permission denied on S3 path: s3://backet_name/falder_name/db_name/table_name/parquet_name
error_message
"errorCode":"AccessDenied",
"errorMessage":"User: arn:aws:sts::<Account_ID>:assumed-role/AWSServiceRoleForLakeFormationDataAccess/AWSLF-00-AT-<Account_ID>-OSSm3ywcAP is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-northeast-1:<Account_ID>:key/○○ because no resource-based policy allows the kms:Decrypt action"
环境
AWS 上的 RDS 快照导出到 S3 并由 Glue 抓取以创建数据目录。 此外,我们正在使用 AWS LakeFormation 来管理数据。
设置
AWServiceRoleForLakeFormationDataAccess
将“AWServiceRoleForLakeFormationDataAccess”设置为爬网程序的服务角色。
允许此角色的策略包括。
・AWSGlueServiceRole
・AmazonS3ReadOnlyAccess
・kms-解密-策略
・LakeFormationGetPolicy
kms-decrypt-policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "*"
}
]
}
LakeFormationGetPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lakeformation:GetResourceLFTags",
"lakeformation:GetDataAccess",
"lakeformation:ListLFTags",
"lakeformation:GetLFTag"
],
"Resource": "*"
}
]
}
Athena 执行用户(datalake_user)
附加策略
・AmazonAthenaFullAccess
・AmazonS3FullAccess
・KMSFullAccessPolicy
湖形成>权限
LF-标签
AWS Lake Formation >授予权限>授予数据权限
AWS Lake Formation >数据库> db_sample_for_athena
Want to Achieve
I would like to execute a SELECT statement in AWS Athena, but I am getting the following error.
Glue catalog is ready, meta information is ready, DDL can be displayed.
I would appreciate it if you could tell me how to make the query work properly.
SELECT * FROM "table_name" limit 10;
↓
Permission denied on S3 path: s3://backet_name/falder_name/db_name/table_name/parquet_name
error_message
"errorCode":"AccessDenied",
"errorMessage":"User: arn:aws:sts::<Account_ID>:assumed-role/AWSServiceRoleForLakeFormationDataAccess/AWSLF-00-AT-<Account_ID>-OSSm3ywcAP is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-northeast-1:<Account_ID>:key/○○ because no resource-based policy allows the kms:Decrypt action"
Environment
On AWS
RDS snapshots are exported to S3 and crawled by Glue to create a data catalog.
In addition, we are using AWS LakeFormation to manage the data.
Setup
AWServiceRoleForLakeFormationDataAccess
"AWServiceRoleForLakeFormationDataAccess" is set as the crawler's service role.
Policies allowed for this role include.
・AWSGlueServiceRole
・AmazonS3ReadOnlyAccess
・kms-decrypt-policy
・LakeFormationGetPolicy
kms-decrypt-policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "*"
}
]
}
LakeFormationGetPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lakeformation:GetResourceLFTags",
"lakeformation:GetDataAccess",
"lakeformation:ListLFTags",
"lakeformation:GetLFTag"
],
"Resource": "*"
}
]
}
Athena Execution User(datalake_user)
Attached Policies
・AmazonAthenaFullAccess
・AmazonS3FullAccess
・KMSFullAccessPolicy
Lake Formation > Permissions
LF-Tags
AWS Lake Formation > Grant permissions > Grant data permissions
AWS Lake Formation > Databases > db_sample_for_athena
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
将 KMS 附加到 AWServiceRoleForLakeFormationDataAccess 解决了该问题。
Attaching KMS to AWServiceRoleForLakeFormationDataAccess solved the problem.