我正在调用一个lambda函数,该函数正在从AWS Athena查询,执行查询时出现以下错误:
在 S3 路径上没有权限:s3://bkt_logs/apis/2020/12/16/14
注意:S3存储桶是加密的,并已附加策略以访问KMS密钥。
这些是我已经授予lambda函数的权限。
[
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::athena-query-results/*",
"Effect": "Allow",
"Sid": "AllowS3AccessToSaveAndReadQueryResults"
},
{
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::bkt_logs/*",
"Effect": "Allow",
"Sid": "AllowS3AccessForGlueToReadLogs"
},
{
"Action": [
"athena:GetQueryExecution",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:GetWorkGroup",
"athena:GetDatabase",
"athena:BatchGetQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:GetTableMetadata"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowAthenaAccess"
},
{
"Action": [
"glue:GetTable",
"glue:GetDatabase",
"glue:GetPartitions"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowGlueAccess"
},
{
"Action": [
"kms:CreateGrant",
"kms:DescribeKey"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "AllowKMSAccess"
}
]
我正在使用的代码片段用于从Lambda进行查询。
const queryRequest = {
QueryExecutionContext: {
Database: this.databaseName
},
QueryString: query,
ResultConfiguration: {
OutputLocation: 's3://athena-query-results'
},
WorkGroup: this.workgroup
};
const queryExecutionId = await this.athenaService.startQueryExecution(queryRequest);
桶 bkt_logs 是 AWS Glue 爬虫用来填充 Athena 表的桶,而我正在查询该表。
这里有什么遗漏吗?