如何解决如何从 lambda 函数访问 Athena
我正在使用无服务器在 aws 上部署 lambda 函数。我的 lambda 函数在特定存储桶中创建对象并在 Athena 中插入记录时触发。当部署 lambda 函数并触发 lambda 时,它会给我以下错误:
botocore.exceptions.ClientError: 调用 StartQueryExecution 操作时发生错误 (AccessDeniedException):用户:arn:aws:sts::[SERVICE]:assumed-role/[PROJECT]-dev-us-east-1- lambdaRole/[SERVICE]-dev-collector 无权在资源上执行:athena:StartQueryExecution:arn:aws:athena:us-east-1:[MY_ACCOUNT_NO]:workgroup/primary。
我的 serveless.yml 是
service: MY_SERVICE
plugins:
- serverless-python-requirements
custom:
bucket: MY_BUCKET
pythonRequirements:
pythonBin: python3
provider:
name: aws
runtime: python3.7
stage: dev
region: us-east-1
iamRoleStatements:
- Effect: "Allow"
Action:
- "s3:*"
Resource:
- arn:aws:s3:::${self:custom.bucket}
- arn:aws:s3:::${self:custom.bucket}/*
- Effect: "Allow"
Action:
- "athena:*"
Resource:
- arn:aws:s3:::${self:custom.bucket}
- arn:aws:s3:::${self:custom.bucket}/*
functions:
collector:
handler: collector.run
events:
- s3:
bucket: ${self:custom.bucket}
event: s3:ObjectCreated:*
rules:
- prefix: test_folder/
existing: true
知道如何向 lambda 函数授予权限以便它可以在 athena 中插入记录吗? 提前致谢。
解决方法
Lambda 执行角色应允许访问 Athena。和您的 S3 存储桶。
{
"Version": "2012-10-17","Statement": [
{
"Action": [
"athena:StartQueryExecution"
],"Effect": "Allow","Resource": "*"
},{
"Action": [
"s3:*"
],"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}
我刚刚在 serverless.yml 文件中添加了这些项目,即在 iamRoleStatements 标签下提供对 athena 和胶水的访问权限,它对我有用。
iamRoleStatements:
- Effect: "Allow"
Action:
- "s3:*"
Resource:
- arn:aws:s3:::${self:custom.bucket}
- arn:aws:s3:::${self:custom.bucket}/*
- Effect: "Allow"
Action:
- "glue:*"
Resource:
- "*"
- Effect: "Allow"
Action:
- "athena:*"
Resource:
- "*"
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
