3

Access denied when writing to location: s3://[bucket]/queryDailyInventory/Unsaved/2019/07/10/4da06507-a43f-4db0-bd46-81660e58fe35.txt

This query ran against the "default" database, unless qualified by the query. Please post the error message on our forum or contact customer support with Query Id: 4da06507-a43f-4db0-bd46-81660e58fe35.

Hi all,

Above is the error message in its entirety, unchanged except removing the bucket name which contains some private information. This bucket is public, and I have demonstrated my write access to this bucket by creating files and folders to it. However, my athena query which is set to write to this folder (using settings at the top right of the athena console). My athena console is set to eu-west-1 to match the bucket's location, by the way.

Improve this question

1 Answer 1

Reset to default
0

Q: How does the policy you use to access Athena look like?

Athena might require more than simple PutItem write-access to the bucket as described in the docs. [1]

There is the managed policy AmazonAthenaFullAccess which includes the following statements:

{
    "Effect": "Allow",
    "Action": [
        "s3:GetBucketLocation",
        "s3:GetObject",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:ListMultipartUploadParts",
        "s3:AbortMultipartUpload",
        "s3:CreateBucket",
        "s3:PutObject"
    ],
    "Resource": [
        "arn:aws:s3:::aws-athena-query-results-*"
    ]
},
{
    "Effect": "Allow",
    "Action": [
        "s3:GetObject",
        "s3:ListBucket"
    ],
    "Resource": [
        "arn:aws:s3:::athena-examples*"
    ]
},
{
    "Effect": "Allow",
    "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:ListAllMyBuckets"
    ],
    "Resource": [
        "*"
    ]
}

Note: Please adjust the resource name according to your bucket ARN (except for the last statement).

References

[1] https://docs.aws.amazon.com/athena/latest/ug/amazonathenafullaccess-managed-policy.html

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Hi, I have gotten my administrator to make these changes, and I have been able to create a table. Thanks! I am wondering if you know if other permissions need to be made for querying. I am using the preview table query amazon provides and it is giving an all access disabled error
You are still getting an access denied error. Did I understand you correctly? :)
When trying to run this query (provided by amazon): SELECT * FROM "default"."s3inventory" limit 10; I get this error: HIVE_UNKNOWN_ERROR: All access to this object has been disabled (Service: Amazon S3; Status Code: 403; Error Code: AllAccessDisabled; Request ID: 388F4445FBF94AFE; S3 Extended Request ID: Qox+F/DURwv1D6fS5BWbAVRat6mrylHSxCdl6+YpcmdCX8fdITbIyR45681RpF2M9UYXrhXymJA=)
Which location is configured in Athena? The error indicates that you might be accessing the wrong bucket.
In settings, I have selected a bucket I know to be public, and to troubleshoot, I switched to a non-public bucket to which I nevertheless have access. Same error regardless. As another troubleshooting effort, I changed the name of the table from "default"."s3inventory" to "default"."s4inventory" and found that change to give a different error indicating a non-existing table.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.