How to fix Athena GetWorkGroup permission error while accessing the console
I created an access policy based on least privileges so that the user is only able to run queries in an Athena workgroup, called "finance-analyst-dev":
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3Permissions",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::datalake-finance-0123456789123-analytics-dev",
"arn:aws:s3:::datalake-finance-0123456789123-analytics-dev/*"
]
},
{
"Sid": "AthenaPermissions",
"Effect": "Allow",
"Action": [
"athena:StartQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:ListQueryExecutions",
"athena:GetWorkGroup",
"athena:CreateNamedQuery",
"athena:DeleteNamedQuery",
"athena:GetNamedQuery",
"athena:ListNamedQueries",
"athena:BatchGetNamedQuery",
"athena:BatchGetQueryExecution",
"athena:UpdateNamedQuery",
"athena:ListWorkGroups"
],
"Resource": [
"arn:aws:athena:us-east-1:0123456789123:workgroup/finance-analyst-dev"
]
},
{
"Sid": "GluePermissions",
"Effect": "Allow",
"Action": [
"glue:GetDatabases",
"glue:GetTables",
"glue:GetTable",
"glue:GetPartitions"
],
"Resource": [
"arn:aws:glue:us-east-1:0123456789123:catalog",
"arn:aws:glue:us-east-1:0123456789123:database/finance-analytics-dev",
"arn:aws:glue:us-east-1:0123456789123:table/finance-analytics-dev/*"
]
}
]
}
When accessing the console, the user continues to be informed that he cannot execute the athena:GetWorkGroup action on the resource:
I wouldn't want this user to access the primary workgroup.
All other permissions in this policy worked properly.
Solution
Please refer to the example policies in the Athena user guide. Copying the content here for reference. There are a few entries missing on the Athena service level and Athena workgroup level.
The error you see may be related to using the primary workgroup as default. And you can override that in the settings.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"athena:ListEngineVersions",
"athena:ListWorkGroups",
"athena:ListDataCatalogs",
"athena:ListDatabases",
"athena:GetDatabase",
"athena:ListTableMetadata",
"athena:GetTableMetadata"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"athena:GetWorkGroup",
"athena:BatchGetQueryExecution",
"athena:GetQueryExecution",
"athena:ListQueryExecutions",
"athena:StartQueryExecution",
"athena:StopQueryExecution",
"athena:GetQueryResults",
"athena:GetQueryResultsStream",
"athena:CreateNamedQuery",
"athena:GetNamedQuery",
"athena:BatchGetNamedQuery",
"athena:ListNamedQueries",
"athena:DeleteNamedQuery",
"athena:CreatePreparedStatement",
"athena:GetPreparedStatement",
"athena:ListPreparedStatements",
"athena:UpdatePreparedStatement",
"athena:DeletePreparedStatement"
],
"Resource": [
"arn:aws:athena:us-east-1:0123456789123:workgroup/finance-analyst-dev"
]
}
]
}
- AccessDenied for ListObjects for S3 bucket when permissions are s3:*
- Is it possible to have a "no-op" IAM policy?
- AWS An error occurred (InvalidToken) when calling the ListBuckets operation: The provided token is malformed or otherwise invalid
- Why is my AWS CDK Stack failing for an unclear reason?
- Organizing AWS IAM permissions: limit of 10 policies?
- How to create aws-ebs-csi-driver with eks_blueprints_addons by Terraform?
- What's the simplest way to authenticate an AWS IAM role in a custom service?
- Signature expired: is now earlier than error : InvalidSignatureException
- Unable to get updated image from ECR using docker compose --pull
- Using AWS API: Given IAM User, Get Current Effective IAM Policy Document
- Error in CloudFormation Stack: Syntax errors in policy. (Service: AmazonIdentityManagement; Status Code: 400;
- Resource Definition is Malformed
- Do I need AmazonECSTaskExecutionRolePolicy as a task role in aws ecs faragate
- CloudFormation is not authorized to perform: iam:PassRole on resource
- Accessing AWS resources from outside of AWS ecosystem
- How to provide multiple StringNotEquals conditions in AWS policy?
- IAM policy to allow EC2 instance API access only to modify itself
- AWS S3 Bucket Policy - Only Allow Certain File Types In Folder
- Connection between SSO Permission Set and IAM Role
- Creating IAM user via terraform and upload the secret key and access key in S3 bucket
- AWS Cognito - IAM - Deny all access to public/unauth users - Federated
- How to restrict AWS Cognito users from taking certain actions?
- The provided execution role does not have permissions to call DescribeNetworkInterfaces on EC2
- Creating presigned S3 urls is allowed despite IP restriction in IAM policy
- How to enforce IAM users to use multi factor authentication to use the console?
- How can two IAM statements have the same Sid?
- Access denied during geopandas read parquet from s3 bucket
- GKE has an IAM roles/container.clusterViewer, How can I duplicate that on EKS? Read only kubectl access on EKS by default for all authenticated users?
- AWS: Make a resource (e.g. a lambda) public in production but private in development
- AWS role vs iam credential in duckdb HTTPFS call