Access Denied when querying in Athena for data in S3 bucket in another AWS account

0
votes

I want to use Glue Crawler to crawl data from an S3 bucket. This S3 bucket is in another AWS account. Let's call is Account A. My Glue Crawler is in Account B.

I have created a Role in Account B and called it AWSGlueServiceRole-Reporting I have attached the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BucketAccess",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::AccountAbucketname"
            ]
        },
        {
            "Sid": "ObjectAccess",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::AccountABucketName/Foldername/*"
            ]
        }
    ]
}

And also AWSGlueServiceRole policy.

In Account A that has the S3 bucket, I've attached the following bucket policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {

      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AccountB:role/AWSGlueServiceRoleReporting”
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::AccountABucketName"
    },
    {

      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AccountB:role/AWSGlueServiceRoleReporting”
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::AccountABucketName/FolderName/*"
    }
  ]
}

I'm able to run a Glue Crawler in Account B on this S3 bucket and it created Glue Tables. But when I try to query them in Athena, I get Access Denied.

Can anybody help me how to query it in Athena??

1
amazon-web-servicesamazon-s3web-crawleraws-glueamazon-athena

1 Answers

1
votes

When Amazon Athena queries run, they use the permissions of the user that is running the query.

Therefore, you will need to modify the Bucket Policy on the bucket in Account A to permit access by whoever is running the query in Amazon Athena:

{
  "Version": "2012-10-17",
  "Statement": [
    {

      "Effect": "Allow",
      "Principal": {
        "AWS": [
            "arn:aws:iam::AccountB:role/AWSGlueServiceRoleReporting",
            "arn:aws:iam::AccountB:user/username"
        ]
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::AccountABucketName"
    },
    {

      "Effect": "Allow",
      "Principal": {
        "AWS": [
            "arn:aws:iam::AccountB:role/AWSGlueServiceRoleReporting",
            "arn:aws:iam::AccountB:user/username"
        ]
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::AccountABucketName/FolderName/*"
    }
  ]
}

The user will also need sufficient S3 permissions (on their IAM User) to access that S3 bucket. (For example, having s3:ListBucket and s3:GetObject on S3 buckets. They likely already have this, but it is worth mentioning.)

This is different to AWS Glue, which uses an IAM Role. Athena does not accept an IAM Role for running queries.