AthenaClient trying to access athena in the own account

[DantasB]

Describe the bug

AthenaClient is not able to execute StartQueryExecution in athena of another account.

Expected Behavior

StartQueryExecution run successfully

Current Behavior

InvalidRequestException: Unable to verify/create output bucket new-bucket-name

Reproduction Steps

Create 2 aws accounts. One with athena. Another with a Pod on EKS running a javascript code with AthenaClient on it.

Grant the permissions to this Pod using IAM role with access to the external account athena.

Execute the AthenaGetQueryExecution passing the output location bucket and the aws region.

Possible Solution

No response

Additional Information/Context

I have a process written in TS running in a POD on AWS EKS that executes a prepared statement on athena and read its results. This process were used to access the athena in the own account that the EKS is running.

Now, we have changed the Athena to another account, so we changed the IAM policy to grant READ/PUT to the s3 bucket of athena query logs and all athena permissions to this new account.

But the TS is not able to perform this prepared statement in the new account, it's basically saying that it doesn't have permissions to run this query on athena because: InvalidRequestException: Unable to verify/create output bucket new-bucket-name

Reading the policy, the "s3:GetBucketLocation" and "s3:ListBucket" are there for this new-bucket-name and new-bucket-name/athena/*

SDK version used

3.52.0

Environment details (OS name and version, etc.)

EKS Pod

[aBurmeseDev]

Hi @DantasB - thanks for reaching out and apology for delay response.

I've come across this blog post about the same error you're seeing for Amazon Athena. The suggestion is to confirm that S3 bucket exists and check the IAM policy for user or role. Since you have two accounts trying to access "cross-account", I would also check to confirm that cross-account access in IAM is granted.

If you've verified those suggestions and issue persists, let us know and I'd be happy to further look into it. Best, John

[DantasB]

Hey @aBurmeseDev how are you?

Yes, both of the accounts have the cross-account access (one granting and other receiving the permission). The role had the policy to access both the athenas, with the permissions to allow to execute queries.

To avoid that problem, i had to:

1. Create a new policy in the other account.
2. Create a new role in the other account (granting the permission to the application assume that role).
3. Add the sts:AssumeRole policy in the application role.
4. Change the code to, before the execution of the athena query, assume that new role, using the @aws-sdk/client-sts, and them execute the query.

Basically, it was like that the athena is set to be the athena of the account that the application role is created.

[DantasB]

The application, running on a EKS in the 1020 account, had the following policies to Athena and Glue:

"athena:StartQueryExecution",
"athena:GetQueryResults",
"athena:ListNamedQueries",
"athena:GetWorkGroup",
"athena:StopQueryExecution",
"athena:GetQueryExecution",
"athena:BatchGetNamedQuery",
"athena:BatchGetQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:GetPreparedStatement"
"glue:GetTable",
"glue:GetDatabases",
"glue:GetDatabase"

To both of the athenas (1020 account and 2020 account).

Also, for the data, the application had the following policies:

"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:ListBucket"

To the data bucket and the athena query logs bucket. (2020 account).

The application was running on EKS and has this policy assumed. When the application ran, the error was that the bucket didn't exists.

The name of the bucket is new-bucket-name. This bucket exists in the 2020 account but doesn't exists in the 1020 account.

Considering the error message sent before InvalidRequestException: Unable to verify/create output bucket new-bucket-name, when using the athena sdk, it's like the athena is defaulted to the 1020 account, where this bucket doesn't exists.

While correctly, we should setup the account where this athena is located.

[aBurmeseDev]

Hi @DantasB - I was able to connect with a service team member to get their insights. They shared that

Based on the error message it looks like execution role does not have all the necessary permissions. Can you please ask to verify the IAM roles, policies, and permissions, the steps should be something like:

In Account A(Athena account):

1. Create an S3 Bucket to store the query results (new-bucket-name)
2. Create an Athena Query Execution Role that allows Athena to access the s3 bucket. 2.1 "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::new-bucket-name/*" }
3. Allow Cross-Account Access to the S3 Bucket, to allow access from the IAM role in Account B (EKS account) 3.1 "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<Account_B_ID>:role/<Role_in_Account_B>" }, "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::new-bucket-name/*"

In Account B (EKS Account):

1. Create an IAM Role for the Pod. This role should have a trust relationship allowing the EKS service to assume it, something like: 1.1 "Effect": "Allow", "Principal": { "Service": "eks.amazonaws.com" }, "Action": "sts:AssumeRole"
2. Attach a policy to the role to allow Athena actions and access to the S3 bucket in Account A 2.1 { "Effect": "Allow", "Action": [ "athena:StartQueryExecution", "athena:GetQueryExecution", "athena:GetQueryResults" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::new-bucket-name/*" }

You can also refer to this AmazonAthenaFullAccess Managed Policy.

[github-actions[bot]]

This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.