Want to Achieve
I would like to execute a SELECT statement in AWS Athena, but I am getting the following error.
Glue catalog is ready, meta information is ready, DDL can be displayed.
I would appreciate it if you could tell me how to make the query work properly.
SELECT * FROM "table_name" limit 10;
↓
Permission denied on S3 path: s3://backet_name/falder_name/db_name/table_name/parquet_name
error_message
"errorCode":"AccessDenied",
"errorMessage":"User: arn:aws:sts::<Account_ID>:assumed-role/AWSServiceRoleForLakeFormationDataAccess/AWSLF-00-AT-<Account_ID>-OSSm3ywcAP is not authorized to perform: kms:Decrypt on resource: arn:aws:kms:ap-northeast-1:<Account_ID>:key/○○ because no resource-based policy allows the kms:Decrypt action"
Environment
On AWS RDS snapshots are exported to S3 and crawled by Glue to create a data catalog. In addition, we are using AWS LakeFormation to manage the data.
Setup
AWServiceRoleForLakeFormationDataAccess
"AWServiceRoleForLakeFormationDataAccess" is set as the crawler's service role.
Policies allowed for this role include.
・AWSGlueServiceRole
・AmazonS3ReadOnlyAccess
・kms-decrypt-policy
・LakeFormationGetPolicy
kms-decrypt-policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "*"
}
]
}
LakeFormationGetPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lakeformation:GetResourceLFTags",
"lakeformation:GetDataAccess",
"lakeformation:ListLFTags",
"lakeformation:GetLFTag"
],
"Resource": "*"
}
]
}
Athena Execution User(datalake_user)
Attached Policies
・AmazonAthenaFullAccess
・AmazonS3FullAccess
・KMSFullAccessPolicy
Lake Formation > Permissions
LF-Tags
AWS Lake Formation > Grant permissions > Grant data permissions
AWS Lake Formation > Databases > db_sample_for_athena
Attaching KMS to AWServiceRoleForLakeFormationDataAccess solved the problem.