'AWS - Permission denied on S3 Path
I am invoking a lambda function which is querying from AWS Athena and during execution of the query I am getting this error:
Permission denied on S3 path: s3://bkt_logs/apis/2020/12/16/14
Note: S3 bucket is an encrypted bucket and have attached policy to access KMS key.
These are the permission that I have given to the lambda function.
[
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::athena-query-results/*",
"Effect": "Allow",
"Sid": "AllowS3AccessToSaveAndReadQueryResults"
},
{
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::bkt_logs/*",
"Effect": "Allow",
"Sid": "AllowS3AccessForGlueToReadLogs"
},
{
"Action": [
"athena:GetQueryExecution",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:GetWorkGroup",
"athena:GetDatabase",
"athena:BatchGetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:GetTableMetadata"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowAthenaAccess"
},
{
"Action": [
"glue:GetTable",
"glue:GetDatabase",
"glue:GetPartitions"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowGlueAccess"
},
{
"Action": [
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowKMSAccess"
}
]
Code snippet that I am using for querying from lambda.
const queryRequest = {
QueryExecutionContext: {
Database: this.databaseName
},
QueryString: query,
ResultConfiguration: {
OutputLocation: 's3://athena-query-results'
},
WorkGroup: this.workgroup
};
const queryExecutionId = await this.athenaService.startQueryExecution(queryRequest);
The bucket bkt_logs is the bucket which is used by AWS Glue Crawlers to populate Athena table on which I am querying on.
Am I missing something here?
amazon-web-services
amazon-s3Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|