我拥有 Lake Formation 权限,并且我的 Athena 查询运行良好。
我现在想将 IAM 用户限制为仅限某些记录,因此我添加了 Lake Formation 数据过滤器。一旦我这样做了,雅典娜报告Insufficient permissions to execute the query. Caller does not have full access to table。
这是为什么?
1 回答
0
原因隐藏在文档中:
要对使用行级和单元格级筛选的表运行查询操作,您必须使用一个名为 AmazonAthenaLakeFormation 的特殊工作组。
您只需要创建一个具有该特殊名称(!)的工作组。
但你还没有完成!
一旦你切换到使用该工作组,你会得到一个不同的错误:Insufficient permissions to execute the query. Encountered an exception executed in context[planning query] with message[User: XXXXXXXXX is not authorized to perform: lakeformation:StartQueryPlanning on resource
要解决此问题,请按照说明向用户授予 IAM 权限lakeformation:StartQueryPlanning。
但你还没有完成!
添加该 IAM 权限后,您会发现 StartQueryPlanning 依赖于其他 IAM 权限。然后它要求更多的权限等等。我最终创建了一个名为 GlueReadOnly 的策略来解决问题:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"glue:SearchTables",
"lakeformation:SearchDatabasesByLFTags",
"glue:GetCrawler",
"glue:GetDataCatalogEncryptionSettings",
"glue:BatchGetDevEndpoints",
"glue:CheckSchemaVersionValidity",
"glue:GetTableVersions",
"glue:GetPartitions",
"glue:GetMLTransform",
"lakeformation:GetWorkUnits",
"glue:GetWorkflowRunProperties",
"glue:GetSchema",
"glue:GetDevEndpoint",
"glue:GetSecurityConfiguration",
"glue:GetResourcePolicy",
"glue:GetTrigger",
"glue:GetUserDefinedFunction",
"glue:GetJobRun",
"glue:GetResourcePolicies",
"glue:GetUserDefinedFunctions",
"glue:GetClassifier",
"glue:GetSchemaByDefinition",
"glue:ListWorkflows",
"glue:GetJobs",
"glue:GetTables",
"glue:GetSchemaVersionsDiff",
"lakeformation:SearchTablesByLFTags",
"glue:GetTriggers",
"glue:GetWorkflowRun",
"lakeformation:GetLFTag",
"lakeformation:GetResourceLFTags",
"glue:GetMapping",
"glue:GetPartition",
"glue:GetDevEndpoints",
"lakeformation:GetQueryStatistics",
"glue:BatchGetWorkflows",
"lakeformation:GetDataLakeSettings",
"glue:ListDevEndpoints",
"glue:BatchGetJobs",
"glue:ListRegistries",
"glue:GetJob",
"glue:GetWorkflow",
"glue:ListSchemaVersions",
"lakeformation:StartQueryPlanning",
"glue:GetConnections",
"glue:GetCrawlers",
"glue:GetClassifiers",
"glue:GetCatalogImportStatus",
"glue:GetTableVersion",
"glue:GetConnection",
"glue:ListMLTransforms",
"glue:ListSchemas",
"glue:GetJobBookmark",
"glue:GetMLTransforms",
"glue:GetRegistry",
"lakeformation:GetEffectivePermissionsForPath",
"lakeformation:ListLFTags",
"lakeformation:GetWorkUnitResults",
"glue:BatchGetPartition",
"glue:GetMLTaskRuns",
"glue:GetSecurityConfigurations",
"glue:ListTriggers",
"glue:GetDatabases",
"lakeformation:GetQueryState",
"glue:ListJobs",
"glue:GetTags",
"glue:GetTable",
"glue:GetDatabase",
"glue:GetMLTaskRun",
"lakeformation:DescribeResource",
"glue:GetDataflowGraph",
"glue:BatchGetCrawlers",
"glue:GetSchemaVersion",
"glue:QuerySchemaVersionMetadata",
"glue:BatchGetTriggers",
"lakeformation:GetTableObjects",
"glue:GetWorkflowRuns",
"lakeformation:DescribeTransaction",
"glue:GetPlan",
"glue:ListCrawlers",
"glue:GetCrawlerMetrics",
"glue:GetJobRuns"
],
"Resource": "*"
}
]
}
于 2021-12-31T18:29:22.653 回答