通过Athena跨账户访问AWS Glue数据目录 [英] Cross-account access to AWS Glue Data Catalog via Athena

问题描述

是否可以通过账户 A 的Athena界面直接访问账户 B 的AWS Glue数据目录?

Is it possible to directly access AWS Glue Data Catalog of Account B via the Athena interface of Account A?

推荐答案

我只是尝试在自己的设置中解决此问题，但后来跌跌撞撞地出现了(跨帐户访问限制下的最后一个项目符号)在此页面)上:

I was just trying to resolve this same issue in my own setup, but then stumbled across this bummer (the last bullet under Cross-Account Access Limitations on this page):

Cross-account access to the Data Catalog is not supported when using an AWS Glue crawler, Amazon Athena, or Amazon Redshift.

因此，听起来好像即使今天有了跨帐户访问权限，他们也不会自然地通过这些服务(包括关于雅典娜的询问)进行复制.

So it sounds like even with the cross-account access that is possible today, they won't naturally replicate through those services (including the asked about Athena).

也就是说，我能够以一种允许我使用账户A从账户B提取有关数据目录对象的所有相关信息的方式来设置对AWS Glue数据目录的跨账户访问权限.我可以更新答案整合我能走多远，但是，一种可能解决此问题的hacky方法是，设置今天可以进行的跨帐户访问，然后运行一个重复的Lambda函数，该函数可复制数据中的所有相关元数据从账户B到账户A的目录，因此账户A中的用户可以在账户A的AWS Glue数据目录中查看该目录.我不确定雅典娜是否特别适用于该设置，因为我知道它在查询S3中的数据时需要 PutObject 访问权限(可以通过适当的S3存储桶策略来解决，但这是另一项需要管理的跨帐户权限.

That said, I was able to set up cross-account access to the AWS Glue Data Catalog in a way that allowed me to use Account A to pull all relevant info about Data Catalog objects from Account B. I can update my answer to incorporate how far I got, if you want, but a hacky method that might solve this question would be to set up the cross-account access that is possible today then run a recurring Lambda function that replicates over all the relevant metadata in the Data Catalog from Account B to Account A so users in Account A can view that within Account A's AWS Glue Data Catalog. I'm not sure whether Athena specifically would work in that setup, as I know it requires PutObject access when it queries data in S3 (which could be solved via the appropriate S3 bucket policies, but that'd be another cross-account permissions thing to manage).

让我知道您是否想查看那些我可以使用的跨帐户资料的详细信息.

Let me know whether you'd like to see those details on what cross-account stuff I was able to get working.

这篇关于通过Athena跨账户访问AWS Glue数据目录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！