amazon-web-services - 在 Athena 中查询另一个 AWS 账户的 S3 存储桶中的数据时访问被拒绝
问题描述
我想使用 Glue Crawler 从 S3 存储桶中抓取数据。此 S3 存储桶位于另一个 AWS 账户中。我们打电话给账户 A。我的 Glue Crawler 在账户 B 中。
我在账户 B 中创建了一个角色并将其命名为 AWSGlueServiceRole-Reporting 我附加了以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BucketAccess",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::AccountAbucketname"
]
},
{
"Sid": "ObjectAccess",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::AccountABucketName/Foldername/*"
]
}
]
}
还有 AWSGlueServiceRole policy
。
在具有 S3 存储桶的账户 A 中,我附加了以下存储桶策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:role/AWSGlueServiceRoleReporting”
},
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::AccountABucketName"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB:role/AWSGlueServiceRoleReporting”
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::AccountABucketName/FolderName/*"
}
]
}
我能够在此 S3 存储桶上的账户 B 中运行 Glue Crawler 并创建 Glue Tables。但是当我尝试在 Athena 中查询它们时,我得到拒绝访问。
任何人都可以帮助我如何在 Athena 中查询它吗?
解决方案
When Amazon Athena queries run, they use the permissions of the user that is running the query.
Therefore, you will need to modify the Bucket Policy on the bucket in Account A to permit access by whoever is running the query in Amazon Athena:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::AccountB:role/AWSGlueServiceRoleReporting",
"arn:aws:iam::AccountB:user/username"
]
},
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::AccountABucketName"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::AccountB:role/AWSGlueServiceRoleReporting",
"arn:aws:iam::AccountB:user/username"
]
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::AccountABucketName/FolderName/*"
}
]
}
The user will also need sufficient S3 permissions (on their IAM User) to access that S3 bucket. (For example, having s3:ListBucket
and s3:GetObject
on S3 buckets. They likely already have this, but it is worth mentioning.)
This is different to AWS Glue, which uses an IAM Role. Athena does not accept an IAM Role for running queries.
推荐阅读
- c++ - QtDBus,使用 QT DBus xml 接口时未从 dbus-send 接收信号
- scala - Akka:以编程方式添加自定义序列化程序
- c++ - 从 base64 C++ 解码和保存图像文件
- java - 如何在 android studio 中修复“IllegalStateException”(致命异常)?
- javascript - 有时代码未显示在 Visual Studio 代码的自动完成列表中,解决方案?
- amazon-web-services - 避免存储在 s3 存储桶上的 http 内容在浏览器中被破坏
- c# - 拼写检查 en-GB 不适用于日文键盘
- python - 无法使用 python 脚本切换 gcloud 平台帐户
- java - 如何使用apache poi将excel中的滚动条限制为最大行大小?
- asp.net - 如何设计一个带有空白第一行的数据源的gridview或表格,我们可以在asp.net中搜索表格列?