在不同帐户的Lambda中从AWS Athena查询S3文件时访问拒绝 [英] Access Denied while querying S3 files from AWS Athena within Lambda in different account
问题描述
我正在尝试从我的Lambda代码中查询Athena View。为不同帐户中的S3文件创建了Athena表。雅典娜查询编辑器给我以下错误:
I am trying to query Athena View from my Lambda code. Created Athena table for S3 files which are in different account. Athena Query editor is giving me below error:
访问被拒绝(服务:Amazon S3;状态代码:403;错误代码:AccessDenied;
Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied;
我尝试从我的Lambda代码访问Athena View,创建了Lambda执行角色,并在另一个帐户S3存储桶的存储桶策略中也允许该角色如下所示:
I tried accessing Athena View from my Lambda code. Created Lambda Execution Role and allowed this role in Bucket Policy of another account S3 bucket as well like below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::2222222222:role/BAccountRoleFullAccess"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject"
],
"Resource": "arn:aws:s3:::s3_bucket/*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111111111:role/A-Role",
"arn:aws:iam::111111111:role/B-Role"
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::s3_bucket",
"arn:aws:s3:::s3_bucket/*"
]
}
]
}
从Lambda中得到以下错误:
From Lambda, getting below error:
'Status': {'State': 'FAILED', 'StateChangeReason': 'com.amazonaws.services.s3.model.AmazonS3Exception:
Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 3A8953784EC73B17;
S3 Extended Request ID: LfQZdTCj7sSQWcBqVNhtHrDEnJuGxgJQxvillSHznkWIr8t5TVzSaUwNSdSNh+YzDUj+S6aOUyI=),
S3 Extended Request ID: LfQZdTCj7sSQWcBqVNhtHrDEnJuGxgJQxvillSHznkWIr8t5TVzSaUwNSdSNh+YzDUj+S6aOUyI=
(Path: s3://s3_bucket/Input/myTestFile.csv)'
此Lambda函数使用的是 arn:aws:iam :: 111111111 :role / B-Role
具有完全访问Athena和S3的执行角色。
This Lambda function is using arn:aws:iam::111111111:role/B-Role
Execution role which has full access to Athena and S3.
请指导我。
推荐答案
为重现这种情况,我做了以下操作:
To reproduce this situation, I did the following:
- 在
Account-A
中,创建了一个 Amazon S3存储桶(Bucket-A
),上传了CSV文件 - 在
帐户B
中,创建了 IAM角色(具有S3和Athena权限的角色B
) - 在<$上将 OFF 阻止公共访问 c $ c> Bucket-A
- 添加了存储桶策略到引用
角色-B
的Bucket-A
:
- In
Account-A
, created an Amazon S3 bucket (Bucket-A
) and uploaded a CSV file - In
Account-B
, created an IAM Role (Role-B
) with S3 and Athena permissions - Turned OFF Block Public Access on
Bucket-A
- Added a bucket policy to
Bucket-A
that referencesRole-B
:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[ACCOUNT-B]:role/role-b"
},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::bucket-a",
"arn:aws:s3:::bucket-a/*"
]
}
]
}
- 在
Account-B
,在Amazon Athena控制台中手动定义了表 - 对Athena表进行查询。正如预期的那样,收到
访问被拒绝
,因为我使用的是IAM用户而不是Bucket-A的存储桶策略中定义的IAM角色来访问控制台。
- 在
Account-B
中创建了 AWS Lambda函数,该函数使用角色-B
: - In
Account-B
, manually defined a table in the Amazon Athena console - Ran a query on the Athena table. As expected, received
Access Denied
because I was using an IAM User to access the console, not the IAM Role defined in the Bucket Policy onBucket-A
- Created an AWS Lambda function in
Account-B
that usesRole-B
:
import boto3
import time
def lambda_handler(event, context):
athena_client = boto3.client('athena')
query1 = athena_client.start_query_execution(
QueryString='SELECT * FROM foo',
ResultConfiguration={'OutputLocation': 's3://my-athena-out-bucket/'}
)
time.sleep(10)
query2 = athena_client.get_query_results(QueryExecutionId=query1['QueryExecutionId'])
print(query2)
- 运行Lambda函数。它从CSV文件成功返回了数据。
- Ran the Lambda function. It successfully returned data from the CSV file.
请与我执行的上述步骤比较您的配置。希望您会发现一个与众不同的地方,从而可以通过Athena进行跨帐户访问。
Please compare your configurations against the above steps that I took. Hopefully you will find a difference that will enable your cross-account access by Athena.
这篇关于在不同帐户的Lambda中从AWS Athena查询S3文件时访问拒绝的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!