问题
I have two account A and B. S3 Buckets and Athena View is in account A and Lambda is in Account B. I want to call Athena from my Lambda. I have also allowed Lambda Execution Role in S3 Bucket Policy. When I try to call Database from Lambda, it gives me error as 'Status': {'State': 'FAILED', 'StateChangeReason': 'SYNTAX_ERROR: line 1:15: Schema db_name does not exist'
Below is my Lambda Code:
import boto3
import time
def lambda_handler(event, context):
athena_client = boto3.client('athena')
client_exc = athena_client.start_query_execution(
QueryString='SELECT * FROM db_name.athena_view',
ResultConfiguration={'OutputLocation': 's3://my-athena-out-bucket/'}
)
resp= athena_client.get_query_results(QueryExecutionId=client_exc['QueryExecutionId'])
Please guide.
回答1:
Do following-
Account(A) Create a IAM-Role which have access to Athena and S3 bucket and Also add permissions for the Role in account B to call Assume Role on this role.
Account(B) Create a IAM Role and assigned it to Lambda that will assume role of Account A which have access to Athena and S3 on Temporary basis.
See following link - https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html
回答2:
You have:
- Amazon S3 bucket in
Account-A - Amazon Athena in
Account-A - AWS Lambda function in
Account-B
(This differs from your previous question, where you had Athena in Account-B accessing S3 in Account-A. In that scenario, a Bucket policy in Account-A was sufficient to grant access to S3 for Athena running in Account-B.)
Amazon Athena runs with the permissions of the IAM User or IAM Role that calls it. Therefore, the user or role that uses Athena needs permission to access the data in Amazon S3. In your previous question, this was accomplished via a Bucket Policy that provided Lambda with permission to access a bucket in a different account.
However, in this question, you have Lambda in one account wanting to use Amazon Athena in a different account. There is no ability to grant Athena access to users in a different account. Therefore, your Lambda function will need to assume a role in the Athena account.
Therefore:
- Create an IAM Role in
Account-A(with Athena) that grants access to use Athena and the relevant Amazon S3 buckets - The Lambda function in
Account-B:- Should call
AssumeRole()to 'become' the above role - Should use the credentials provided back to create a new
Session, which is used to create a boto3 client for Athena
- Should call
This will result in Lambda having access to Athena in Account-A, including any tables and views already created.
If you do not require the existing tables and views defined in Athena, then you could use Athena in the same account as Lambda, but the source S3 bucket would need to grant access to Lambda's IAM Role, as per your previous question.
来源:https://stackoverflow.com/questions/60506048/access-aws-athena-from-python-lambda-in-different-account