stackoom
  简体   繁体   中英

How to access Athena from lambda function

 原文  2020-12-28 13:40:48       python/ amazon-s3/ aws-lambda/ serverless/ amazon-athena

Question

I am using serverless for deploying lambda function on aws. My lambda function triggered when object is created in particular bucket and insert records in Athena. when lambda function is deployed and lambda is triggered then it give me following error:

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the StartQueryExecution operation: User: arn:aws:sts::[SERVICE]:assumed-role/[PROJECT]-dev-us-east-1-lambdaRole/[SERVICE]-dev-collector is not authorized to perform: athena:StartQueryExecution on resource: arn:aws:athena:us-east-1:[MY_ACCOUNT_NO]:workgroup/primary.

My serveless.yml is

service: MY_SERVICE

plugins:
  - serverless-python-requirements
custom:
  bucket: MY_BUCKET
  pythonRequirements:
      pythonBin: python3

provider:
  name: aws
  runtime: python3.7
  stage: dev
  region: us-east-1
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "s3:*"
      Resource:
        - arn:aws:s3:::${self:custom.bucket}
        - arn:aws:s3:::${self:custom.bucket}/*

    - Effect: "Allow"
      Action:
        - "athena:*"
      Resource:
        - arn:aws:s3:::${self:custom.bucket}
        - arn:aws:s3:::${self:custom.bucket}/*

functions:
  collector:
    handler: collector.run
    events:
      - s3:
          bucket: ${self:custom.bucket}
          event: s3:ObjectCreated:*
          rules:
            - prefix: test_folder/
          existing: true

Any Idea how can i grant permissions to lambda function so it can insert records in athena? Thanks in advance.

2 answers

solution1
 0  2020-12-28 13:51:21

Lambda execution role should allow access to Athena. and your S3 bucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "athena:StartQueryExecution"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::your-bucket-name/*"
    } 
  ]
}

solution2
 0 ACCPTED  2020-12-31 08:10:11

i just added the these items in serverless.yml file ie give access to athena and glue under iamRoleStatements tag and it works for me.

iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "s3:*"
      Resource:
        - arn:aws:s3:::${self:custom.bucket}
        - arn:aws:s3:::${self:custom.bucket}/*

    - Effect: "Allow"
      Action:
        - "glue:*"
      Resource:
        - "*"

    - Effect: "Allow"
      Action:
        - "athena:*"
      Resource:
        - "*"

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Querying Athena from Lambda function - QUEUED state? Access AWS Athena from Python Lambda in different account How to access context.identity from a Python AWS Lambda function? How to hide secret keys and access ID from aws lambda function? How do Lambda query Athena by python Access to intent slots from lambda function How to access lambda function's value here? How do I access a variable inside a YAML file from an AWS Lambda function? How to access css/js file from S3 in AWS lambda function How to access Dynamodb from inside AWS Lambda?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM