[英]Run queries in AWS Athena from boto3 gives bad permissions
When trying to run queries from python (boto3) to AWS Athena, the following error is raised:尝试从 python (boto3) 向 AWS Athena 运行查询时,会引发以下错误:
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the StartQueryExecution operation: User: arn:aws:iam::account-id:user/sa.prd is not authorized to perform: athena:StartQueryExecution on resource: arn:aws:athena:us-east-1:account-id:workgroup/primary
botocore.exceptions.ClientError:调用 StartQueryExecution 操作时发生错误 (AccessDeniedException):用户:arn:aws:iam::account-id:user/sa.prd 无权执行:athena:StartQueryExecution on resource:arn: aws:athena:us-east-1:account-id:workgroup/primary
I don't have access to AWS console.我无权访问 AWS 控制台。 I was also informed that there is another user "sa.prd.athena" that has the right permissions (what seems not to happen to "sa.prd").
我还被告知还有另一个用户“sa.prd.athena”具有正确的权限(“sa.prd”似乎没有发生这种情况)。
Thanks,谢谢,
BR BR
The User in AWS is determined by the credentials that are used to sign the API call to the AWS API. AWS 中的用户由用于签署对 AWS API 的 API 调用的凭证确定。 There are several ways to pass these credentials to AWS SDKs in general (and boto3 in particular).
一般来说,有几种方法可以将这些凭证传递给 AWS 开发工具包(尤其是 boto3)。
It looks for credentials in these places and takes them from the first one where they're present:它在这些地方查找凭据,并从它们所在的第一个地方获取它们:
~/.aws/credentials
(By default it uses those of the default profile)~/.aws/credentials
中的凭据(默认情况下,它使用默认配置文件的凭据)Since you're not directly setting up credentials, I assume it takes them from the SDK configuration (3), so you could just overwrite them while instantiating your Athena client like this:由于您没有直接设置凭据,我假设它从 SDK 配置 (3) 中获取它们,因此您可以在实例化 Athena 客户端时覆盖它们,如下所示:
import boto3
athena_client = boto3.client(
'athena',
aws_access_key_id=ACCESS_KEY,
aws_secret_access_key=SECRET_KEY,
aws_session_token=SESSION_TOKEN
)
This is an adapted example from the documentation , you need to specify your credentials instead of the uppercase variables.这是来自文档的改编示例,您需要指定您的凭据而不是大写变量。
Hardcoding these is considered bad practice though, so you might want to look into option (2) using environment variables, or setting up another profile in your local SDK and telling the client to use that.不过,硬编码这些被认为是不好的做法,因此您可能希望使用环境变量来研究选项 (2),或者在本地 SDK 中设置另一个配置文件并告诉客户端使用它。 Information on that can be found in the boto3-docs I linked above.
这方面的信息可以在我上面链接的 boto3-docs 中找到。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.