What are the minimum required permissions to use this module?
baileyfriend opened this issue · 3 comments
What are the minimum required permissions to use this module?
Also, is it possible to use the role that is running the module to be inferred as the accessKeyId and secretAccessKey instead of having to hardcode those values into the code being used to run the query?
AmazonAthenaFullAccess Managed Policy is the minimum required permissions to use this module.
Yes, accessKeyId and secretAccessKey is optional. You can use roles without entering these settings.
I am trying to use this library with my Lambda function using Serverless Framework but encountering a permissions error. This worked using my initial test using aws-sdk directly:
In my serverless.yml:
iamRoleStatements:
- Effect: "Allow"
Action:
- s3:PutObject,
- s3:GetObject,
- s3:GetBucketLocation
Resource: S3_ARN
- Effect: "Allow"
Action:
- athena:*
Resource: "*"
And my handler.js file:
'use strict';
var clientConfig = {
bucketUri: S3_URI
}
var awsConfig = {
region: REGION,
}
var athena = require("athena-client");
var client = athena.createClient(clientConfig, awsConfig);
module.exports.getData = (event, context, callback) => {
var query = 'SELECT * FROM DATABASE.TABLE LIMIT 10';
client.execute(query, function(err, data) {
if (err) {
return console.error(err)
}
console.log(data)
})
};
But when I execute my function I am getting an error as seen in CloudWatch:
2018-06-27T13:31:16.521Z 5db6c56f-7a0e-11e8-8f0a-176315f4368b { AccessDeniedException: User: arn:aws:sts::ACCOUNT_ID:assumed-role/LAMBDA_ROLE/LAMBDA_FUNCTION_NAME is not authorized to perform: athena:StartQueryExecution
at Request.extractError (/var/task/node_modules/aws-sdk/lib/protocol/json.js:48:27)
at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
at Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
at Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/task/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
message: 'User: arn:aws:sts::ACCOUNT_ID:assumed-role/LAMBDA_ROLE/LAMBDA_FUNCTION_NAME is not authorized to perform: athena:StartQueryExecution',
code: 'AccessDeniedException',
time: 2018-06-27T13:31:16.519Z,
requestId: '3e006dbe-0c54-4110-b975-298b78840e9a',
statusCode: 400,
retryable: false,
retryDelay: 82.39760276833579 }
I used athena:* permission while testing to try to make sure I am allowing whatever permissions I need but I have also tried athena:StartQueryExecution specifically and get the same error.
Can you advise what I need to do to fix this problem?
It appears that there must have been some latency in my previous test that made the permissions didn't take effect when I tested the deployment. I have managed to get my test to work now.
This is the permissions section in my serverless.yml that is working now for the above lambda function:
iamRoleStatements:
# Resource Level S3 Permissions
- Effect: "Allow"
Action:
- s3:PutObject
- s3:GetObject
- s3:ListBucket
Resource:
- "arn:aws:s3:::aws-athena-query-results-*"
- "arn:aws:s3:::MYBUCKET"
- "arn:aws:s3:::MYBUCKET/*"
# Athena
- Effect: "Allow"
Action:
- athena:*
Resource: "*"
# Glue
- Effect: "Allow"
Action:
- glue:*
Resource: "*"