时间戳

首页 > 解决方案 > 在 Athena 中查询另一个 AWS 账户的 S3 存储桶中的数据时访问被拒绝

amazon-web-services - 在 Athena 中查询另一个 AWS 账户的 S3 存储桶中的数据时访问被拒绝

问题描述

我想使用 Glue Crawler 从 S3 存储桶中抓取数据。此 S3 存储桶位于另一个 AWS 账户中。我们打电话给账户 A。我的 Glue Crawler 在账户 B 中。

我在账户 B 中创建了一个角色并将其命名为 AWSGlueServiceRole-Reporting 我附加了以下策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BucketAccess",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::AccountAbucketname"
            ]
        },
        {
            "Sid": "ObjectAccess",
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::AccountABucketName/Foldername/*"
            ]
        }
    ]
}

还有 AWSGlueServiceRole policy

在具有 S3 存储桶的账户 A 中,我附加了以下存储桶策略:

{
  "Version": "2012-10-17",
  "Statement": [
    {

      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AccountB:role/AWSGlueServiceRoleReporting”
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::AccountABucketName"
    },
    {

      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AccountB:role/AWSGlueServiceRoleReporting”
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::AccountABucketName/FolderName/*"
    }
  ]
}

我能够在此 S3 存储桶上的账户 B 中运行 Glue Crawler 并创建 Glue Tables。但是当我尝试在 Athena 中查询它们时,我得到拒绝访问。

任何人都可以帮助我如何在 Athena 中查询它吗?

标签: amazon-web-servicesamazon-s3web-crawleraws-glueamazon-athena

解决方案

When Amazon Athena queries run, they use the permissions of the user that is running the query.

Therefore, you will need to modify the Bucket Policy on the bucket in Account A to permit access by whoever is running the query in Amazon Athena:

{
  "Version": "2012-10-17",
  "Statement": [
    {

      "Effect": "Allow",
      "Principal": {
        "AWS": [
            "arn:aws:iam::AccountB:role/AWSGlueServiceRoleReporting",
            "arn:aws:iam::AccountB:user/username"
        ]
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::AccountABucketName"
    },
    {

      "Effect": "Allow",
      "Principal": {
        "AWS": [
            "arn:aws:iam::AccountB:role/AWSGlueServiceRoleReporting",
            "arn:aws:iam::AccountB:user/username"
        ]
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::AccountABucketName/FolderName/*"
    }
  ]
}

The user will also need sufficient S3 permissions (on their IAM User) to access that S3 bucket. (For example, having s3:ListBucket and s3:GetObject on S3 buckets. They likely already have this, but it is worth mentioning.)

This is different to AWS Glue, which uses an IAM Role. Athena does not accept an IAM Role for running queries.

推荐阅读