Hi all - I'm in need of some assistance - apologies if this is something that's been covered already.
I'm unable to run dbt-athena via an assume-role policy.
I've created a basic model that I'm running with the dbt-athena plugin.
I've created an AWS policy (dbt_policy) that allows all the permissions needed for the plugin to run and execute the models.
For my testing I've assigned the policy to an IAM user dbt_poc_dev_user and it works perfectly.
Now I'd like to make use of an IAM role instead of a user. I've done the following:
Created the role: dbt
Assigned the policy (dbt_policy) to the role
Allowed the role to be assumed by user: dbt_poc_dev_user
Updated my .aws credentials file with the new role details
Updated the aws_profile_name config in the dbt profiles.yml file
With dbt run I get the following error:
13:58:57 Running with dbt=1.5.2
13:58:57 Registered adapter: athena=1.5.1
13:58:57 Unable to do partial parsing because config vars, config profile, or config target have changed
13:58:57 Unable to do partial parsing because profile has changed
13:58:58 Found 3 models, 0 tests, 0 snapshots, 0 analyses, 336 macros, 0 operations, 0 seed files, 0 sources, 0 exposures, 0 metrics, 0 groups
13:58:58
14:00:26
14:00:26 Finished running in 0 hours 1 minutes and 27.70 seconds (87.70s).
14:00:26 Encountered an error:
Runtime Error
Runtime Error
[ErrorCategory:USER_ERROR, ErrorCode:PERMISSION_ERROR], Detail:Amazon Athena experienced a permission error. Please provide proper permission and submitting the query again. If the issue reoccurs, contact
AWS support for further assistance. You will not be charged for this query. We apologize for the inconvenience., Message:Amazon Athena experienced a permission error. Please provide proper permission and submitting the query again. If the issue reoccurs, contact AWS support for further assistance. You will not be charged for this query. We apologize for the inconvenience.
If I switch the aws_profile_name back to the user it completes successfully
Another test that I've done is running a docker container with my code on EC2 via AWS Batch.
For this I don't need the aws_profile_name in the prrofiles.yml file. I just attached the dbt_policy to the EC2 execution role.
Same result - I'm not sure if roles can be used with dbt-athena?
Hi all - I'm in need of some assistance - apologies if this is something that's been covered already.
I'm unable to run dbt-athena via an
assume-role
policy.I've created a basic model that I'm running with the dbt-athena plugin.
I've created an AWS policy (
dbt_policy
) that allows all the permissions needed for the plugin to run and execute the models. For my testing I've assigned the policy to an IAM userdbt_poc_dev_user
and it works perfectly.Now I'd like to make use of an IAM role instead of a user. I've done the following:
Created the role:
dbt
Assigned the policy (
dbt_policy
) to the roleAllowed the role to be assumed by user:
dbt_poc_dev_user
Updated my
.aws credentials
file with the new role detailsUpdated the
aws_profile_name
config in the dbtprofiles.yml
fileWith dbt run I get the following error:
If I switch the
aws_profile_name
back to the user it completes successfullyAnother test that I've done is running a docker container with my code on EC2 via AWS Batch.
For this I don't need the
aws_profile_name
in theprrofiles.yml
file. I just attached thedbt_policy
to theEC2 execution role
. Same result - I'm not sure if roles can be used with dbt-athena?