stackoom
  简体   繁体   中英

Run queries in AWS Athena from boto3 gives bad permissions

 原文  2021-01-28 18:25:13       python-3.x/ amazon-s3/ aws-lambda/ boto3/ amazon-athena

Question

When trying to run queries from python (boto3) to AWS Athena, the following error is raised:

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the StartQueryExecution operation: User: arn:aws:iam::account-id:user/sa.prd is not authorized to perform: athena:StartQueryExecution on resource: arn:aws:athena:us-east-1:account-id:workgroup/primary

I don't have access to AWS console. I was also informed that there is another user "sa.prd.athena" that has the right permissions (what seems not to happen to "sa.prd").

  • Is it possible to use boto3 specifying a different user? Now don't use any specific user.
  • If not possible to use a different user, is it possible to set some kind of policy to be used by boto3 in runtime execution (this because I don't have access to AWS management console)

Thanks,

BR

1 answers

solution1
 2 ACCPTED  2021-01-28 19:23:01

The User in AWS is determined by the credentials that are used to sign the API call to the AWS API. There are several ways to pass these credentials to AWS SDKs in general (and boto3 in particular).

It looks for credentials in these places and takes them from the first one where they're present:

  1. Hard-Coded credentials while instantiating a client
  2. Credentials stored in environment variables
  3. Credentials stored in ~/.aws/credentials (By default it uses those of the default profile)
  4. In the instance metadata service on EC2/ECS/Lambda

Since you're not directly setting up credentials, I assume it takes them from the SDK configuration (3), so you could just overwrite them while instantiating your Athena client like this:

import boto3

athena_client = boto3.client(
    'athena',
    aws_access_key_id=ACCESS_KEY,
    aws_secret_access_key=SECRET_KEY,
    aws_session_token=SESSION_TOKEN
)

This is an adapted example from the documentation , you need to specify your credentials instead of the uppercase variables.

Hardcoding these is considered bad practice though, so you might want to look into option (2) using environment variables, or setting up another profile in your local SDK and telling the client to use that. Information on that can be found in the boto3-docs I linked above.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS CLI and BOTO3 SDK (permissions issue) How to pass a string from python to AWS Run Powershell script commands section using boto3 Run python Flask API on AWS EC2 through boto3 Is it possible to run aws s3 sync with boto3? boto3 get tenancy value from placement gives name error Copy of file from one s3 location to another does not work after athena query boto3 Create table in Athena using all objects from multiple folders in S3 Bucket via Boto3 How to use all the credentials from .aws to execute Boto3 script? Verify AWS Credentials with boto3 AWS boto3 billing information
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM