When I try to run the following query via the Athena JDBC Driver
describe gitlab.issues
I get the following error:
[Simba]AthenaJDBC An error has been thrown from the AWS Athena client. FAILED: SemanticException Unable to fetch table gitlab. Insufficient Lake Formation permission(s) on gitlab (Service: AmazonDataCatalog; Status Code: 400; Error Code: AccessDeniedException; Request ID: be6aeb1b-fc06-410d-9723-2df066307b35; Proxy: null) [Execution ID: a2534d22-c4df-49e9-8515-80224779bf01]
the following query works:
select * from gitlab.issues limit 10
The role that is used has the DESCRIBE
permission on the gitlab
database and DESCRIBE, SELECT
permissions on the table issues
. It also has the following IAM permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"athena:BatchGetNamedQuery",
"athena:BatchGetQueryExecution",
"athena:CreatePreparedStatement",
"athena:DeletePreparedStatement",
"athena:GetDataCatalog",
"athena:GetDatabase",
"athena:GetNamedQuery",
"athena:GetPreparedStatement",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:GetTableMetadata",
"athena:GetWorkGroup",
"athena:ListDatabases",
"athena:ListNamedQueries",
"athena:ListPreparedStatements",
"athena:ListDataCatalogs",
"athena:ListEngineVersions",
"athena:ListQueryExecutions",
"athena:ListTableMetadata",
"athena:ListTagsForResource",
"athena:ListWorkGroups",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:UpdatePreparedStatement"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"glue:BatchGetCustomEntityTypes",
"glue:BatchGetPartition",
"glue:GetCatalogImportStatus",
"glue:GetColumnStatisticsForPartition",
"glue:GetColumnStatisticsForTable",
"glue:GetCustomEntityType",
"glue:GetDatabase",
"glue:GetDatabases",
"glue:GetPartition",
"glue:GetPartitionIndexes",
"glue:GetPartitions",
"glue:GetSchema",
"glue:GetSchemaByDefinition",
"glue:GetSchemaVersion",
"glue:GetSchemaVersionsDiff",
"glue:GetTable",
"glue:GetTableVersion",
"glue:GetTableVersions",
"glue:GetTables",
"glue:GetUserDefinedFunction",
"glue:GetUserDefinedFunctions",
"glue:ListCustomEntityTypes",
"glue:ListSchemaVersions",
"glue:ListSchemas",
"glue:QuerySchemaVersionMetadata",
"glue:SearchTables"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": "athena.amazonaws.com"
}
},
"Action": [
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::aws-athena-query-results-123456789012-eu-west-1",
"arn:aws:s3:::aws-athena-query-results-123456789012-eu-west-1/*",
"arn:aws:s3:::aws-athena-federation-spill-123456789012-eu-west-1",
"arn:aws:s3:::aws-athena-federation-spill-123456789012-eu-west-1/*"
],
"Effect": "Allow"
},
{
"Action": [
"lakeformation:CancelTransaction",
"lakeformation:CommitTransaction",
"lakeformation:DescribeResource",
"lakeformation:DescribeTransaction",
"lakeformation:ExtendTransaction",
"lakeformation:GetDataAccess",
"lakeformation:GetQueryState",
"lakeformation:GetQueryStatistics",
"lakeformation:GetTableObjects",
"lakeformation:GetWorkUnitResults",
"lakeformation:GetWorkUnits",
"lakeformation:StartQueryPlanning",
"lakeformation:StartTransaction"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": "athena.amazonaws.com"
}
},
"Action": "lambda:InvokeFunction",
"Resource": "arn:aws:lambda:*:*:function:athena-federation-*",
"Effect": "Allow"
},
{
"Condition": {
"ForAnyValue:StringEquals": {
"aws:CalledVia": "athena.amazonaws.com"
}
},
"Action": ["s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket"],
"Resource": "*",
"Effect": "Allow"
}
]
}
even if I make the role a LakeFormation Admin, Database Creator, assign Super Permissions to the table and database and add the AdministratorAccess IAM Policy to the role it still fails.