从 boto3 在 AWS Athena 中运行查询提供了错误的权限
[英]Run queries in AWS Athena from boto3 gives bad permissions
问题描述
When trying to run queries from python (boto3) to AWS Athena, the following error is raised:
尝试从 python (boto3) 向 AWS Athena 运行查询时,会引发以下错误:
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the StartQueryExecution operation: User: arn:aws:iam::account-id:user/sa.prd is not authorized to perform: athena:StartQueryExecution on resource: arn:aws:athena:us-east-1:account-id:workgroup/primary
I don't have access to AWS console.我无权访问 AWS 控制台。 I was also informed that there is another user "sa.prd.athena" that has the right permissions (what seems not to happen to "sa.prd").我还被告知还有另一个用户“sa.prd.athena”具有正确的权限(“sa.prd”似乎没有发生这种情况)。
- Is it possible to use boto3 specifying a different user?是否可以使用 boto3 指定不同的用户? Now don't use any specific user.现在不要使用任何特定用户。
- If not possible to use a different user, is it possible to set some kind of policy to be used by boto3 in runtime execution (this because I don't have access to AWS management console)如果无法使用其他用户,是否可以设置 boto3 在运行时执行中使用的某种策略(这是因为我无权访问 AWS 管理控制台)
Thanks,谢谢,
BR BR
1 个解决方案
解决方案1
2 已采纳 2021-01-28 19:23:01
The User in AWS is determined by the credentials that are used to sign the API call to the AWS API. AWS 中的用户由用于签署对 AWS API 的 API 调用的凭证确定。 There are several ways to pass these credentials to AWS SDKs in general (and boto3 in particular).一般来说,有几种方法可以将这些凭证传递给 AWS 开发工具包(尤其是 boto3)。
It looks for credentials in these places and takes them from the first one where they're present:它在这些地方查找凭据,并从它们所在的第一个地方获取它们:
- Hard-Coded credentials while instantiating a client实例化客户端时的硬编码凭据
- Credentials stored in environment variables存储在环境变量中的凭据
- Credentials stored in
~/.aws/credentials(By default it uses those of the default profile)存储在~/.aws/credentials中的凭据(默认情况下,它使用默认配置文件的凭据) - In the instance metadata service on EC2/ECS/Lambda在 EC2/ECS/Lambda 上的实例元数据服务中
Since you're not directly setting up credentials, I assume it takes them from the SDK configuration (3), so you could just overwrite them while instantiating your Athena client like this:由于您没有直接设置凭据,我假设它从 SDK 配置 (3) 中获取它们,因此您可以在实例化 Athena 客户端时覆盖它们,如下所示:
import boto3
athena_client = boto3.client(
'athena',
aws_access_key_id=ACCESS_KEY,
aws_secret_access_key=SECRET_KEY,
aws_session_token=SESSION_TOKEN
)
This is an adapted example from the documentation , you need to specify your credentials instead of the uppercase variables.这是来自文档的改编示例,您需要指定您的凭据而不是大写变量。
Hardcoding these is considered bad practice though, so you might want to look into option (2) using environment variables, or setting up another profile in your local SDK and telling the client to use that.不过,硬编码这些被认为是不好的做法,因此您可能希望使用环境变量来研究选项 (2),或者在本地 SDK 中设置另一个配置文件并告诉客户端使用它。 Information on that can be found in the boto3-docs I linked above.这方面的信息可以在我上面链接的 boto3-docs 中找到。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.