0

I am using serverless for deploying lambda function on aws. My lambda function triggered when object is created in particular bucket and insert records in Athena. when lambda function is deployed and lambda is triggered then it give me following error:

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the StartQueryExecution operation: User: arn:aws:sts::[SERVICE]:assumed-role/[PROJECT]-dev-us-east-1-lambdaRole/[SERVICE]-dev-collector is not authorized to perform: athena:StartQueryExecution on resource: arn:aws:athena:us-east-1:[MY_ACCOUNT_NO]:workgroup/primary.

My serveless.yml is

service: MY_SERVICE

plugins:
  - serverless-python-requirements
custom:
  bucket: MY_BUCKET
  pythonRequirements:
      pythonBin: python3

provider:
  name: aws
  runtime: python3.7
  stage: dev
  region: us-east-1
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "s3:*"
      Resource:
        - arn:aws:s3:::${self:custom.bucket}
        - arn:aws:s3:::${self:custom.bucket}/*

    - Effect: "Allow"
      Action:
        - "athena:*"
      Resource:
        - arn:aws:s3:::${self:custom.bucket}
        - arn:aws:s3:::${self:custom.bucket}/*

functions:
  collector:
    handler: collector.run
    events:
      - s3:
          bucket: ${self:custom.bucket}
          event: s3:ObjectCreated:*
          rules:
            - prefix: test_folder/
          existing: true

Any Idea how can i grant permissions to lambda function so it can insert records in athena? Thanks in advance.

Improve this question

2 Answers 2

Reset to default
0

Lambda execution role should allow access to Athena. and your S3 bucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "athena:StartQueryExecution"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Action": [
        "s3:*"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::your-bucket-name/*"
    } 
  ]
}
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

How to define these setting in serverless.xml file ?
in the second allow statement in your template, your allow "athena:*" action on s3 bucket but should reference your athena service
how can i reference my athena service in serveless.xml file ?
You can find here alot of examples: serverless.com/framework/docs/providers/aws/guide/iam
Can't find any example related to athena.
0

i just added the these items in serverless.yml file i.e. give access to athena and glue under iamRoleStatements tag and it works for me.

iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "s3:*"
      Resource:
        - arn:aws:s3:::${self:custom.bucket}
        - arn:aws:s3:::${self:custom.bucket}/*

    - Effect: "Allow"
      Action:
        - "glue:*"
      Resource:
        - "*"

    - Effect: "Allow"
      Action:
        - "athena:*"
      Resource:
        - "*"
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.