问题
I am trying to query Athena View from my Lambda code. Created Athena table for S3 files which are in different account. Athena Query editor is giving me below error:
Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied;
I tried accessing Athena View from my Lambda code. Created Lambda Execution Role and allowed this role in Bucket Policy of another account S3 bucket as well like below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::2222222222:role/BAccountRoleFullAccess"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::s3_bucket/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111:role/A-Role",
"arn:aws:iam::111111111:role/B-Role"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::s3_bucket",
"arn:aws:s3:::s3_bucket/*"
]
}
]
}
From Lambda, getting below error:
'Status': {'State': 'FAILED', 'StateChangeReason': 'com.amazonaws.services.s3.model.AmazonS3Exception:
Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 3A8953784EC73B17;
S3 Extended Request ID: LfQZdTCj7sSQWcBqVNhtHrDEnJuGxgJQxvillSHznkWIr8t5TVzSaUwNSdSNh+YzDUj+S6aOUyI=),
S3 Extended Request ID: LfQZdTCj7sSQWcBqVNhtHrDEnJuGxgJQxvillSHznkWIr8t5TVzSaUwNSdSNh+YzDUj+S6aOUyI=
(Path: s3://s3_bucket/Input/myTestFile.csv)'
This Lambda function is using arn:aws:iam::111111111:role/B-Role Execution role which has full access to Athena and S3.
Someone please guide me.
回答1:
To reproduce this situation, I did the following:
- In
Account-A, created an Amazon S3 bucket (Bucket-A) and uploaded a CSV file - In
Account-B, created an IAM Role (Role-B) with S3 and Athena permissions - Turned OFF Block Public Access on
Bucket-A - Added a bucket policy to
Bucket-Athat referencesRole-B:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[ACCOUNT-B]:role/role-b"
},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::bucket-a",
"arn:aws:s3:::bucket-a/*"
]
}
]
}
- In
Account-B, manually defined a table in the Amazon Athena console - Ran a query on the Athena table. As expected, received
Access Deniedbecause I was using an IAM User to access the console, not the IAM Role defined in the Bucket Policy onBucket-A - Created an AWS Lambda function in
Account-Bthat usesRole-B:
import boto3
import time
def lambda_handler(event, context):
athena_client = boto3.client('athena')
query1 = athena_client.start_query_execution(
QueryString='SELECT * FROM foo',
ResultConfiguration={'OutputLocation': 's3://my-athena-out-bucket/'}
)
time.sleep(10)
query2 = athena_client.get_query_results(QueryExecutionId=query1['QueryExecutionId'])
print(query2)
- Ran the Lambda function. It successfully returned data from the CSV file.
Please compare your configurations against the above steps that I took. Hopefully you will find a difference that will enable your cross-account access by Athena.
Reference: Cross-account Access - Amazon Athena
来源:https://stackoverflow.com/questions/60462501/access-denied-while-querying-s3-files-from-aws-athena-within-lambda-in-different