AWS-允许在S3路径上拒绝
我正在调用一个lambda函数,该功能正在从AWS雅典娜查询,并且在执行查询期间,我会遇到此错误: 在S3路径上拒绝了权限:S3:// BKT_LOGS/APIS/2020/2020/16/16/14
注意:S3存储桶是一个加密的存储桶,并已附加了访问KMS键的策略。
这些是我对lambda功能的许可。
[
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::athena-query-results/*",
"Effect": "Allow",
"Sid": "AllowS3AccessToSaveAndReadQueryResults"
},
{
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::bkt_logs/*",
"Effect": "Allow",
"Sid": "AllowS3AccessForGlueToReadLogs"
},
{
"Action": [
"athena:GetQueryExecution",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:GetWorkGroup",
"athena:GetDatabase",
"athena:BatchGetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:GetTableMetadata"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowAthenaAccess"
},
{
"Action": [
"glue:GetTable",
"glue:GetDatabase",
"glue:GetPartitions"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowGlueAccess"
},
{
"Action": [
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowKMSAccess"
}
]
我正在使用Lambda查询的代码段。
const queryRequest = {
QueryExecutionContext: {
Database: this.databaseName
},
QueryString: query,
ResultConfiguration: {
OutputLocation: 's3://athena-query-results'
},
WorkGroup: this.workgroup
};
const queryExecutionId = await this.athenaService.startQueryExecution(queryRequest);
Bucket BKT_LOGS是AWS胶水爬网手填充我正在查询的Athena表的存储桶。
我在这里错过了什么吗?
I am invoking a lambda function which is querying from AWS Athena and during execution of the query I am getting this error:Permission denied on S3 path: s3://bkt_logs/apis/2020/12/16/14
Note: S3 bucket is an encrypted bucket and have attached policy to access KMS key.
These are the permission that I have given to the lambda function.
[
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::athena-query-results/*",
"Effect": "Allow",
"Sid": "AllowS3AccessToSaveAndReadQueryResults"
},
{
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::bkt_logs/*",
"Effect": "Allow",
"Sid": "AllowS3AccessForGlueToReadLogs"
},
{
"Action": [
"athena:GetQueryExecution",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:GetWorkGroup",
"athena:GetDatabase",
"athena:BatchGetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:GetTableMetadata"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowAthenaAccess"
},
{
"Action": [
"glue:GetTable",
"glue:GetDatabase",
"glue:GetPartitions"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowGlueAccess"
},
{
"Action": [
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowKMSAccess"
}
]
Code snippet that I am using for querying from lambda.
const queryRequest = {
QueryExecutionContext: {
Database: this.databaseName
},
QueryString: query,
ResultConfiguration: {
OutputLocation: 's3://athena-query-results'
},
WorkGroup: this.workgroup
};
const queryExecutionId = await this.athenaService.startQueryExecution(queryRequest);
The bucket bkt_logs is the bucket which is used by AWS Glue Crawlers to populate Athena table on which I am querying on.
Am I missing something here?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我能够解决这个问题。
雅典娜需要访问水桶以及文件夹和子文件夹。
因此,在更新我的S3策略以允许访问水桶后,我可以解决问题。
I was able to resolve the issue.
Athena requires access to the bucket and also to the folders and subfolders.
So, after updating my S3 policy to allow access to the bucket I was able to resolve the issue.