我正在调用从AWS雅典娜查询的lambda函数,在执行查询期间,我得到了这个错误:Permission denied on S3 path: s3://bkt_logs/apis/2020/12/16/14
注意:S3桶是加密的桶,并且附加了访问KMS密钥的策略。
这些是我给lambda函数的权限。
[
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::athena-query-results/*",
"Effect": "Allow",
"Sid": "AllowS3AccessToSaveAndReadQueryResults"
},
{
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::bkt_logs/*",
"Effect": "Allow",
"Sid": "AllowS3AccessForGlueToReadLogs"
},
{
"Action": [
"athena:GetQueryExecution",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:GetWorkGroup",
"athena:GetDatabase",
"athena:BatchGetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:GetTableMetadata"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowAthenaAccess"
},
{
"Action": [
"glue:GetTable",
"glue:GetDatabase",
"glue:GetPartitions"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowGlueAccess"
},
{
"Action": [
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowKMSAccess"
}
]
用于从lambda查询的代码片段。
const queryRequest = {
QueryExecutionContext: {
Database: this.databaseName
},
QueryString: query,
ResultConfiguration: {
OutputLocation: 's3://athena-query-results'
},
WorkGroup: this.workgroup
};
const queryExecutionId = await this.athenaService.startQueryExecution(queryRequest);
bucketbkt_logs是AWS Glue Crawlers用来填充我正在查询的Athena表的bucket。
我错过了什么吗?
我可以解决这个问题了。
Athena需要访问bucket以及文件夹和子文件夹。因此,在更新S3策略以允许访问桶之后,我就能够解决这个问题了。
{
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bkt_logs",
"arn:aws:s3:::bkt_logs/*"
],
"Effect": "Allow",
"Sid": "AllowS3AccessForGlueToReadLogs"
}