Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Athena Ingestor Suggested IAM Policy is Incomplete #18781

Closed
dan-marra-ebrs opened this issue Nov 25, 2024 · 0 comments · Fixed by #18871
Closed

Athena Ingestor Suggested IAM Policy is Incomplete #18781

dan-marra-ebrs opened this issue Nov 25, 2024 · 0 comments · Fixed by #18871
Labels
documentation Improvements or additions to documentation

Comments

@dan-marra-ebrs
Copy link

dan-marra-ebrs commented Nov 25, 2024
edited
Loading

The current documentation describes that the policy needed for the Athena ingestor is the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "athena:ListTableMetadata",
                "athena:ListDatabases",
                "athena:GetTableMetadata",
                "athena:ListQueryExecutions",
                "athena:StartQueryExecution",
                "athena:GetQueryExecution",
                "athena:ListWorkGroups",
                "athena:GetQueryResults",
                "athena:BatchGetQueryExecution"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:athena:<<AWS_REGION>>:<<ACCOUNT_ID>>:workgroup/<<WORKGROUP_NAME>>",
                "arn:aws:athena:<<AWS_REGION>>:<<ACCOUNT_ID>>:datacatalog/<<DATA_CATALOG_NAME>>"
            ]
        },
        {
            "Action": [
                "glue:GetTables",
                "glue:GetTable",
                "glue:GetDatabases",
                "glue:GetPartitions"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:glue:<AWS_REGION>:<ACCOUNT_ID>:table/<<DATABASE_NAME>>/*",
                "arn:aws:glue:<AWS_REGION>:<ACCOUNT_ID>:database/<<DATABASE_NAME>>",
                "arn:aws:glue:<AWS_REGION>:<ACCOUNT_ID>:catalog"
            ]
        },
        {
            "Action": [
                "s3:ListBucket",
                "s3:GetObject",
                "s3:GetBucketLocation",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::<<ATHENA_S3_BUCKET>>/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
              "lakeformation:GetResourceLFTags"
            ],
            "Resource": [
                "arn:aws:athena:<<AWS_REGION>>:<<ACCOUNT_ID>>:datacatalog/<<DATA_CATALOG_NAME>>/database/<<DATABASE_NAME>>"
                "arn:aws:athena:<<AWS_REGION>>:<<ACCOUNT_ID>>:datacatalog/<<DATA_CATALOG_NAME>>/database/<<DATABASE_NAME>>/table/<<TABLE_NAME>>"
                "arn:aws:athena:<<AWS_REGION>>:<<ACCOUNT_ID>>:datacatalog/<<DATA_CATALOG_NAME>>/database/<<DATABASE_NAME>>/table/<<TABLE_NAME>>/column/<<COLUMN_NAME>>"
            ]
        }
    ]
}

There are two problems with this policy:

  1. IF views/queries are reliant on Athena connectors, this policy will not allow the query to be run. This is because its missing lambda permissions.
  2. IF the s3 bucket where results are stored is encrypted with kms, one will not be able to access it.

The docs should contain in this suggested policy something like:

        {
            "Action": [
                "lambda:InvokeFunction"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:lambda:<<AWS_REGION>>:<<ACCOUNT_ID>>:function:<<CONNECTOR NAME>>"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [              
               "kms:Decrypt",               
               "kms:DescribeKey"
            ],
            "Resource": [
                "*"
            ]
        }

Not having this leads to mysterious errors when running test case pipelines. Especially in the case of the connector access, in which even AWS doesn't provide a detailed permission reason. I suspect this is the source of several Athena related issues
@dan-marra-ebrs dan-marra-ebrs added the documentation Improvements or additions to documentation label Nov 25, 2024
@Farreeda Farreeda mentioned this issue Dec 2, 2024
Merged
3 tasks
TeddyCr pushed a commit that referenced this issue Dec 2, 2024
@Farreeda
Fixes issue #18781: Adding lambda permissions to Athena connector doc…
a72b293 
…umentation (#18871)

* Adding lambda permissions to Athena connector documentation

* Add lambda permissions to athena connector documentation yaml file

* Adding lambda permissions to Athena doc v1.5

* Adding lambda permissions for Athena connector document v1.4.x
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
1 participant
@dan-marra-ebrs