The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access (Query Id: b2c74c7e-21ed-4375-8712-cd1579eab9a7)

0

I tried to set up an cross-account Athena access. I could see the database in Lake formation, Glue and Athena under target account. At the beginning I don't see any tables in the target Athena console. After I did something in Lake formation console (target account) I could see a table in target Athena console and query it successfully. But I could not see other tables from the same database even I tried many ways. I always got below error even I the gave the KMS access everywhere (both KMS and IAM role) or turn off the kms encryption in Glue. I don't know what is the actual reason. Below is an example of the error message: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access. (Service: AWSKMS; Status Code: 400; Error Code: AccessDeniedException; Request ID: cb9a754f-fc1c-414d-b526-c43fa96d3c13; Proxy: null) (Service: AWSGlue; Status Code: 400; Error Code: GlueEncryptionException; Request ID: 0c785fdf-e3f7-45b2-9857-e6deddecd6f9; Proxy: null) This query ran against the "xxx_lakehouse" database, unless qualified by the query. Please post the error message on our forum or contact customer support with Query Id: b2c74c7e-21ed-4375-8712-cd1579eab9a7. I have already added the permissions pointed out in https://repost.aws/knowledge-center/cross-account-access-denied-error-s3? Does anyone know how to fix the error and see the cross-account tables in Athena? Thank you very much.

asked a year ago2037 views
1 Answer
0
Accepted Answer

Hii, Have you created the relevant resource links in your Lakeformation console of your target account? If not yet done then, please follow the given documentation and set up the shared tables in your target account. In case, both the source s3 bucket and the source table in Glue are encrypted with different KMS keys then permissions must be given to both of the keys. If both belong to different account then you will have to provide both the resource based and Identity based permissions.

In my experience, the error you are seeing arises when the Key policy of the KMS key is not properly defined such that it allows cross account access of the key. Thus, please verify it once.

It might be better if you reach out to a Premium Support engineer of Security team as they will be able to have a look at your policies and find out the exact root cause of the error.

profile pictureAWS
SUPPORT ENGINEER
Chaitu
answered a year ago
  • Hi Chaitu, sorry for the late response. I did create the resource links and the key policy was also correctly defined. But it was caused by the KMS key issue because originally my s3 buckets were encrypted with S3-SSE (which does not support cross-account access) and I switched to KMS encryption after I grant the cross account access through lake formation. I finally destroyed the infrastructure and redeployed everything worked. I felt that I should change S3 encryption from S3-SSE to KMS encryption before I implemented the cross-account access. Thank you very much.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content