我正试图从PHP代码在Amazon Athena中运行查询
$client = AwsAthenaAthenaClient::factory(array(
'version' => 'latest',
'region' => 'us-east-1',
'credentials' => array(
'key' => '<KEY>',
'secret' => '<SECRET>'
)
));
$result1 = $client->StartQueryExecution(array(
'QueryExecutionContext' => array('Database' => 'default'),
'QueryString' => "select * from logs where date between TIMESTAMP '2020-02-27 00:00:00' and TIMESTAMP '2020-02-27 23:59:59' limit 100",
'ResultConfiguration' => array(
'EncryptionConfiguration' => array('EncryptionOption'=> 'SSE_S3'),
'OutputLocation' => 's3://bucket_name/temp'
)
));
得到了这个错误:
打开配置单元拆分s3:///data-mining/logs/2019/07/12/07/Log-6-2019-07-12-07-35-01-a1c6d0a9-27e5-458b-b72a-8942a6d2b261.parquet时出错(偏移量=0,长度=775977(:com.amazonaws.services.s3.model.AmazonS3异常:拒绝访问(服务:亚马逊s3;状态代码:403;错误代码:拒绝访问;请求ID:4A00D465F919D8AB;s3扩展请求ID:…(,s3扩展请求ID:。。。(路径:s3://<bucket_name>/data-mining/logs/2019/07/12/07/Log-6-2019-07-12-07-35-01-a1c6d0a9-27e5-458b-b72a-8942a6d2b261.镶木地板
我可以确认这些:
- 可以毫无问题地运行来自Athena控制台的相同查询(使用root用户(
- 我执行来自具有权限的用户的查询:
AmazonAthenaFullAccess和AmazonS3FullAccess
确保您使用的IAM策略与执行查询的用户关联,该策略允许对与镶木地板文件关联的KMS密钥进行操作。即使bucket可能正在使用SSE_S3,文件也可能已经使用KMS进行了加密。
这样的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey"
],
"Resource": [
"arn:aws:kms:"region":"account":key/"keyid"
]
}
]
}