Using Athena to query AWS Lake Formation database

Question

I have created a database using AWS Lake Formation, and populated it with two tables created using Glue crawlers. The tables seem to be created correctly (all of the columns have been properly mapped out by the crawlers).

However, then I try to query them using AWS Athena, I am getting the following error:
`HIVE_UNKNOWN_ERROR: com.amazonaws.services.lakeformation.model.InvalidInputException: Unsupported vendor for Glue supported principal`

I assume this has to do with the permissions associated with Lake Formation, but I have given the IAM User all possible permissions I could think of in the Lake Formation Console Permissions section.

Does anyone know what the problem could be here?

Answer

Hi,

Please refer to this article
https://docs.aws.amazon.com/lake-formation/latest/dg/access-control-fine-grained.html

The default method for backwards compatibility with AWS Glue is as follows:

“Open means that the special permission Super is granted to the group IAMAllowedPrincipals, where IAMAllowedPrincipals is automatically created and includes any IAM users and roles that are allowed access to your Data Catalog resources by your IAM policies, and the Super permission enables a principal to perform every supported Lake Formation operation on the database or table on which it is granted.”
By default, Lake Formation permissions are made backwards compatible and transparent to those who do not want to use LF. Therefore, it works as if there is no LF. This was achieved by using the special IAM Group and the root user not being a part of that special group “IAM_ALLOWED_PRINCIPALS” created the error.

Hope this helps.

Using Athena to query AWS Lake Formation database

Relevant content