Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen

How do I resolve Athena cross-account issues?

Lesedauer: 4 Minute
0

I want to resolve Amazon Athena cross-account query issues with AWS Glue Data Catalog and AWS Lake Formation shared resources.

Resolution

Follow these troubleshooting steps for your Data Catalog or Lake Formation cross-account shared resources.

Data Catalog cross-account shared resources

If you used the Athena cross-account Data Catalog feature to access a catalog from another account, you might get "access denied" errors. For example, you might get "access denied" errors with Data Catalog API actions like GetDatabases or GetTable. You might also get "access denied" errors if you grant access to users from another account to an Amazon Simple Storage Service (Amazon S3) bucket.

This is because cross-account queries require access to the Data Catalog and the Amazon S3 bucket from an account other than your own.

Follow these steps to check your Data Catalog and Amazon S3 permissions.

Data Catalog permissions

Follow the steps to grant Data Catalog access to the borrower account from the owner. Then, grant AWS Identity and Access Management (IAM) policy permissions to give access to the borrower role for the owner account's Data Catalog resources.

For more information, see How can I provide cross-account access to resources in the AWS Glue Data Catalog?

Amazon S3 permissions

Follow the steps to use a S3 bucket policy to grant cross-account access to users to run queries. For more information, see How do I provide cross-account access to objects that are in Amazon S3 buckets?

For S3 buckets encrypted with a custom AWS Key Management Service (AWS KMS) key, additional permissions might be required. Follow the steps to grant cross-account access to a bucket encrypted with a custom AWS KMS key. For more information, see Why are cross-account users getting Access Denied errors when they try to access S3 objects encrypted by a custom AWS KMS key?

Lake Formation cross-account shared resources

Follow these steps to troubleshoot the Lake Formation cross-account error message that you received.

"Insufficient Lake Formation permissions: Illegal combination"

This error occurred because a user shared a Data Catalog resource when Lake Formation permissions were granted to the IAMAllowedPrincipals group for the resource. To resolve this error, the user must revoke all Lake Formation permissions from IAMAllowedPrincipals before the resource is shared.

"HIVE_METASTORE_ERROR: Table is missing storage descriptor"

This error occurred because permissions haven't been granted on the target table. Permissions granted on a resource link don't grant permissions on the linked database or target table. Follow these steps to explicitly grant permissions on the target table.

  1. Open the Lake Formation console.
  2. In the navigation pane, choose Tables.
  3. In Tables, choose your resource link.
  4. Choose Actions, and then choose Grant on target.
  5. In Grant data lake permissions, grant the permission SELECT and DESCRIBE and choose Grant.

For more information, see How resource links work in Lake Formation.

"Permission denied on S3 path"

This error might occur when an IAM role doesn't have permissions to read objects from the S3 bucket. For example, if an AWS KMS key is used to query encrypted data that belongs to an owner account. In this scenario, the error occurs if the IAM role doesn't have permissions to decrypt data in another account.

If you used the default AWSServiceRoleForLakeFormationDataAccess service-linked role, create a custom IAM role. Make sure that the IAM role has the required AWS KMS key permissions to share with another account. Add the key policy to the owner account. Then re-register the bucket in Lake Formation with the new IAM role.

For more information, see Troubleshooting Lake Formation issues.

Related information

Why doesn't my MSCK REPAIR TABLE query add partitions to the AWS Glue Data Catalog?

How can I troubleshoot Lake Formation permission issues in Athena?

Query cross-account AWS Glue data catalogs using Amazon Athena

AWS OFFICIAL
AWS OFFICIALAktualisiert vor 9 Monaten