Glue availability check failed due to missing permission

[matthias-pichler]

It seems that the sample policy in the readme is missing glue:GetCatalogImportStatus

I got the following error:

Jun 22 14:32:00.128 DEBUG 699 com.simba.athena.athena.api.AJClient.checkGlueSupport: An exception was caught during AWS Glue availability detection operation. Detail: com.simba.athena.amazonaws.services.glue.model.AccessDeniedException: User: arn:aws:sts::xxxxx:assumed-role/metabase-service-prod-TaskRole30FC0FBB-R2HVOCHLUUGP/a499929205b74b0ca2e3f65456e66625 is not authorized to perform: glue:GetCatalogImportStatus on resource: arn:aws:glue:eu-west-1:xxxxx:catalog because no identity-based policy allows the glue:GetCatalogImportStatus action (Service: AWSGlue; Status Code: 400; Error Code: AccessDeniedException; Request ID: e8fb47f5-70a2-4c43-81e2-95af8b11fdc3; Proxy: null)

[dacort]

Interesting - I hadn't run into that one before. I will try to validate the current policy - I don't think I've updated it since upgrading the JDBC driver so there could likely be some gaps. Thank you!

[matthias-pichler]

It might be related to the fact that I have AWS LakeFormation enabled in this account

[dacort]

Ah yep, that was going to be a guess of mine. Thanks for that extra detail!

[dacort]

Closing as part of cleanup now that Athena is officially supported by Metabase. Any future issues can be asked about on their forum or with a detailed bug report.