My IAM users can't see the Athena tables I've created a long time ago using the root account.
Their group has the following permissions:
AmazonS3FullAccess
AmazonAthenaFullAccess
They only see the sampledb databases, which is unfortunate, because they need the one we actually use. The documentation is not clear on how to make the databases accessible to everyone. How do I achieve that?
Your permissions are correct.
Athena's context is not currently shared across regions. Ensure that the users are viewing Athena from the same region as the root account. When they login to AWS, they may be initially placed in another region.
You need Glue permissions, Glue is the service in charge of manage Databases and Tables in AWS
Related
I am getting this message when I try to create a crawler on AWS Glue:
{"service":"AWSGlue","statusCode":400,"errorCode":"AccessDeniedException","requestId":"RequestIDNumber","errorMessage":"Account <AccountID> is denied access.","type":"AwsServiceError"}
already attached all those policies below to the IAM
All my Policies here
Already setup permissions to the AWS lake formation for the role too
Already created a custom policy kms to it too
And I am stucked, I cannot create a crawler!
I am in the root account, actually there`s no other account just the root, It's a super new account I created in AWS so I don't know what to do to be able to create this simple crawler
My ideia its to use it with dynamodb as data source
The message says there is something wrong with my account permission not with a role
Someone has an idea?
Thank you so much
Not sure the reason, but loads of people have been having this issue. You can submit a ticket through AWS account support. I actually submitted two, including one through the unpaid support version and one through my paid account. They answered both tickets.
Basically, just tell them you need access to Glue and they should alter whatever it is to give you access. Sorry it's not a better answer, but I found no other useful information anywhere.
I propose to try using a separate user and attaching the policy you created to it.
I am trying to create a crawler in AWS Glue, but it gives error: {"service":"AWSGlue","statusCode":400,"errorCode":"AccessDeniedException","requestId":"<requestId>","errorMessage":"Account <accountId> is denied access.","type":"AwsServiceError"}.
This is what I've done so far:
Create a database in AWS Glue
Add tables in the database using a crawler
Name the crawler
Choose Amazon S3 as the data store and specified a path to a csv file inside a bucket in my account
Choose an existing IAM role I've created before
Choose a database I've created before
Press finish.
When I press finish, the above error is occurred.
I have grant AdministratorAccess both to IAM user and role used to create the crawler, so I assume there is no lack of permission issues. The bucket used is not encrypted and located in the same region as the AWS Glue.
I also have tried to create another database and specified a path to a different csv file but it is not solved the problem.
Any help would be very appreciated. Thanks.
I have contacted the owner (the root user) of this account and the owner asked for help to AWS Premium Support. The AWS Premium Support told us that all the required permissions to create AWS Glue Crawler are already provided and there is no SCPs attached to the account. After waiting around 7-working-day, finally I can create AWS Glue Crawler without any errors.
Unfortunately, I don't have any further information on how the AWS Premium Support solve the issue. For those of you who encounter similar errors like me, just try to contact the owner of the account, because most likely the issue is out of your control. Hope this helps in the future. Thanks.
How to get the usage metrics of S3.
Currently, IAM users are uploading/downloading files from the S3 bucket. Each IAM user has a separate folder. How to access, how many GB of data were transferred/downloaded from S3?.
You can't. There is no such metric provided by AWS. You have to develop a custom solution for that. If you, for example, have CloudTrial trial enabled for S3 operations, you can parse the past logs and based on them build up a report on who downloaded/upload what. Once you know what objects were uploaded/downloaded by a give IAM user, you can add up their sizes.
I'm grasping at straws at this point. I have a Database in LakeFormation and I've given the quicksight service role access to it as well as underlying tables (and their S3 buckets). I've also verified that the quicksight location (us-east-1 N. Virginia) is the same as the s3 bucket locations for the underlying tables. After all of this, when I click on "new dataset" and select Athena, I still can't see my database under the AwsDataCatalog. If I go to athena directly, I can see my DBs + tables there. What else do I need to do?
Thanks!
I had the same issue and it seems QuickSight does not consider the Lake Formation permissions granted to an IAM role or user but rather looks for Lake Formation permissions granted to a specific QuickSight user (or to the QuickSight group to which the QuickSight user belongs).
For QuickSight, Lake Formation permissions thus need to be granted to QuickSight ARNs, e.g. arn:aws:quicksight:us-east-1:111122223333:user/default/YourUserName
I am having a hard time understanding Azure docs and terminologies. The problem is this. My customer has an azure bucket and we need to read/write to this bucket. They won't be sharing their storage account credentials either.
This can be achieved in AWS by following this:
https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/
I have just created an IAM user and asked my customers to allow the necessary permissions in the bucket policy. Thus, with one IAM user and one set of credentials, I can write to multiple buckets belonging to multiple AWS accounts.
Is something like above also possible in Azure?
they can create a Shared access signature while they can control what kind of access you need to have and also when to expire.