Lake Formation sharing with external account - error when querying with athena in target account

137 views Asked by At

I have two accounts, the source account (A) and the target account (B)

I have granted account (B) access to a database in account (A) via lakeformation.

In account B I accepted the resource share and can see the database and table populated in the lake formation console.

In account B I have created a resource link and granted access to my user with permissions (SUPER)

In account B when I try to query the table within the database resource link I get the following error

com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: ##########; S3 Extended Request ID: ########; Proxy: null), S3 Extended Request ID: ########### (Bucket: {Bucket in account A that holds shared database and tables}, Key: {path to shared table}) This query ran against the "{resource link database}" database, unless qualified by the query. Please post the error message on our forum or contact customer support with Query Id: ##############

My account is a lake formation admin with administrator access.

The data catalogue settings in account A & B are;

Use only IAM access control for new databases: OFF Use only IAM access control for new tables in new databases: OFF Version 4

The error is showing some access denied on my S3 resource in Account A that is shared, but I do not understand how this error can come up with the above settings?

Any help is appreciated.

I have tried changing the settings - changing location of the shared table - changing the accesses on the databases for my user.

1

There are 1 answers

0
mgosk On

Check few things:

  1. Verify if lake formation role have access to S3 bucket and KMS key if data is encrypted enter image description here
  2. Verify if your table have location configured enter image description here