I have Lake Formation permissions in place and my Athena query runs fine.
I would now like to limit an IAM user to only certain records, so I added a Lake Formation data filter. Once I do that, Athena reports Insufficient permissions to execute the query. Caller does not have full access to table.
Why is that?
The reason is buried in the documentation:
To run query operations against tables that use row- and cell-level filtering, you must use a special workgroup called AmazonAthenaLakeFormation.
You just need to create a workgroup with that special name(!).
But you're not done yet!
Once you switch to using that workgroup, you'll get a different error: Insufficient permissions to execute the query. Encountered an exception executed in context[planning query] with message[User: XXXXXXXXX is not authorized to perform: lakeformation:StartQueryPlanning on resource
To fix this, follow the instructions to grant the IAM permission lakeformation:StartQueryPlanning to the user.
But you're not done yet!
Once you add that IAM permission, you'll discover that StartQueryPlanning depends on other IAM permissions. Then it asks for more permissions and so on. I ended up creating a policy called GlueReadOnly which solves the problem:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"glue:SearchTables",
"lakeformation:SearchDatabasesByLFTags",
"glue:GetCrawler",
"glue:GetDataCatalogEncryptionSettings",
"glue:BatchGetDevEndpoints",
"glue:CheckSchemaVersionValidity",
"glue:GetTableVersions",
"glue:GetPartitions",
"glue:GetMLTransform",
"lakeformation:GetWorkUnits",
"glue:GetWorkflowRunProperties",
"glue:GetSchema",
"glue:GetDevEndpoint",
"glue:GetSecurityConfiguration",
"glue:GetResourcePolicy",
"glue:GetTrigger",
"glue:GetUserDefinedFunction",
"glue:GetJobRun",
"glue:GetResourcePolicies",
"glue:GetUserDefinedFunctions",
"glue:GetClassifier",
"glue:GetSchemaByDefinition",
"glue:ListWorkflows",
"glue:GetJobs",
"glue:GetTables",
"glue:GetSchemaVersionsDiff",
"lakeformation:SearchTablesByLFTags",
"glue:GetTriggers",
"glue:GetWorkflowRun",
"lakeformation:GetLFTag",
"lakeformation:GetResourceLFTags",
"glue:GetMapping",
"glue:GetPartition",
"glue:GetDevEndpoints",
"lakeformation:GetQueryStatistics",
"glue:BatchGetWorkflows",
"lakeformation:GetDataLakeSettings",
"glue:ListDevEndpoints",
"glue:BatchGetJobs",
"glue:ListRegistries",
"glue:GetJob",
"glue:GetWorkflow",
"glue:ListSchemaVersions",
"lakeformation:StartQueryPlanning",
"glue:GetConnections",
"glue:GetCrawlers",
"glue:GetClassifiers",
"glue:GetCatalogImportStatus",
"glue:GetTableVersion",
"glue:GetConnection",
"glue:ListMLTransforms",
"glue:ListSchemas",
"glue:GetJobBookmark",
"glue:GetMLTransforms",
"glue:GetRegistry",
"lakeformation:GetEffectivePermissionsForPath",
"lakeformation:ListLFTags",
"lakeformation:GetWorkUnitResults",
"glue:BatchGetPartition",
"glue:GetMLTaskRuns",
"glue:GetSecurityConfigurations",
"glue:ListTriggers",
"glue:GetDatabases",
"lakeformation:GetQueryState",
"glue:ListJobs",
"glue:GetTags",
"glue:GetTable",
"glue:GetDatabase",
"glue:GetMLTaskRun",
"lakeformation:DescribeResource",
"glue:GetDataflowGraph",
"glue:BatchGetCrawlers",
"glue:GetSchemaVersion",
"glue:QuerySchemaVersionMetadata",
"glue:BatchGetTriggers",
"lakeformation:GetTableObjects",
"glue:GetWorkflowRuns",
"lakeformation:DescribeTransaction",
"glue:GetPlan",
"glue:ListCrawlers",
"glue:GetCrawlerMetrics",
"glue:GetJobRuns"
],
"Resource": "*"
}
]
}