I'm grasping at straws at this point. I have a Database in LakeFormation and I've given the quicksight service role access to it as well as underlying tables (and their S3 buckets). I've also verified that the quicksight location (us-east-1 N. Virginia) is the same as the s3 bucket locations for the underlying tables. After all of this, when I click on "new dataset" and select Athena, I still can't see my database under the AwsDataCatalog. If I go to athena directly, I can see my DBs + tables there. What else do I need to do?
Thanks!
I had the same issue and it seems QuickSight does not consider the Lake Formation permissions granted to an IAM role or user but rather looks for Lake Formation permissions granted to a specific QuickSight user (or to the QuickSight group to which the QuickSight user belongs).
For QuickSight, Lake Formation permissions thus need to be granted to QuickSight ARNs, e.g. arn:aws:quicksight:us-east-1:111122223333:user/default/YourUserName
Related
I'm using AWSlake formation te manage the permissions needed to use Athena.
For one of the users i revoked all his permissions, so now he can't see the databases, tables in athena Catalog, but when he runs any request directly from the editor, it still work.
He's not a ldata ake formation administrator, and he has full access on athena.
I think it's because the Athena service has permissions via a service-linked role (created by Lake Formation): https://docs.aws.amazon.com/lake-formation/latest/dg/service-linked-roles.html
Since the user has access to Athena, his requests are being executed by the Athena service (which still has access).
There is a S3 bucket that has "Bucket and objects not public" access. Within Athena, there is table that is pulling data from the S3 bucket successfully. However, I cannot pull the data from Athena to Quicksight. My conclusion is that it is because the S3 bucket has "Bucket and objects not public" access. Is this correct?
Is it the case that Athena has some kind of special access to the S3 bucket, but Quicksight doesn't?
Here is a crude illustration of the issue:
I'm a total beginner when it comes to AWS so I apologise for missing any information.
Thanks in advance.
To verify that you can connect Amazon QuickSight to Athena, check the following settings:
AWS resource permissions inside of Amazon QuickSight
AWS IAM policies
S3 bucket location
Query results location
If S3 bucket location and Query results location are correct, you might have issues with Amazon QuickSight resource permissions. You have to make sure that Amazon QuickSight can access the S3 buckets used by Athena:
Choose your profile name. Choose Manage QuickSight, then choose Security & permissions.
Choose Add or remove.
Locate Athena, select it to enable Athena. (choose Connect both)
Choose the buckets that you want to access and click Select.
Choose Update.
I have set up a reporting stack using data stored in S3, schema mapped by AWS Glue, queried by Amazon Athena, and visualized in Amazon QuickSight.
I gave QuickSight permissions to access the three aws-athena-query-results buckets I have (see below)
However, when I try to build reports based on my Athena table, it throws an error. I went back in and explicitly gave it access to the S3 bucket that holds my raw data, and now I have visualizations.
My question is whether or not this is how it should need to be set up. My assumption was that Athena has access to S3, and QuickSight has access to Athena and it's results, so it shouldn't need direct access to each S3 bucket storing raw data. It seems it would generate a lot of overhead each time there is a new S3 bucket to be reported on that you need to go grant Athena and QuickSight access.
From reading this page: Troubleshoot Athena Insufficient Permissions, it's unclear which buckets are required.
Yes, at the moment, QuickSight needs to be granted explicit access to both Athena and the underlying buckets that Athena accesses. I got this answer from discussion with Amazon so, unfortunately, I don't have source to link.
I have 2 AWS accounts: Account1, and Account2. I have some data stored in S3 in Account1, and I registered that data into an Athena table in Account1. Now, I would like to access the same Athena table from Account2. I realize that I could create an Athena table in Account2 to query data in Account1, but ideally I would like to keep all the tables under Account1.
Since May 2021 it is now possible to register a data catalog from a different account in Amazon Athena, see the User Guide.
Athena Query Engine v2 is required though and there are some other limitations.
As of today, it seems possible only by deploying in Account2 (the account you want to query from) a Lambda with the proper cross-account permissions to access the data catalog in Account1.
See this other answer and the associated post on AWS blog.
My IAM users can't see the Athena tables I've created a long time ago using the root account.
Their group has the following permissions:
AmazonS3FullAccess
AmazonAthenaFullAccess
They only see the sampledb databases, which is unfortunate, because they need the one we actually use. The documentation is not clear on how to make the databases accessible to everyone. How do I achieve that?
Your permissions are correct.
Athena's context is not currently shared across regions. Ensure that the users are viewing Athena from the same region as the root account. When they login to AWS, they may be initially placed in another region.
You need Glue permissions, Glue is the service in charge of manage Databases and Tables in AWS