如何从 lambda 函数访问 Athena
How to access Athena from lambda function
我正在使用无服务器在 aws 上部署 lambda 函数。当在特定存储桶中创建对象并在 Athena 中插入记录时,我的 lambda 函数被触发。当部署 lambda 函数并触发 lambda 时,它会给我以下错误:
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the StartQueryExecution operation: User: arn:aws:sts::[SERVICE]:assumed-role/[PROJECT]-dev-us-east-1-lambdaRole/[SERVICE]-dev-collector is not authorized to perform: athena:StartQueryExecution on resource: arn:aws:athena:us-east-1:[MY_ACCOUNT_NO]:workgroup/primary.
我的serveless.yml是
service: MY_SERVICE
plugins:
- serverless-python-requirements
custom:
bucket: MY_BUCKET
pythonRequirements:
pythonBin: python3
provider:
name: aws
runtime: python3.7
stage: dev
region: us-east-1
iamRoleStatements:
- Effect: "Allow"
Action:
- "s3:*"
Resource:
- arn:aws:s3:::${self:custom.bucket}
- arn:aws:s3:::${self:custom.bucket}/*
- Effect: "Allow"
Action:
- "athena:*"
Resource:
- arn:aws:s3:::${self:custom.bucket}
- arn:aws:s3:::${self:custom.bucket}/*
functions:
collector:
handler: collector.run
events:
- s3:
bucket: ${self:custom.bucket}
event: s3:ObjectCreated:*
rules:
- prefix: test_folder/
existing: true
知道如何向 lambda 函数授予权限,以便它可以在 athena 中插入记录吗?
提前致谢。
Lambda 执行角色应允许访问 Athena。和您的 S3 存储桶。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"athena:StartQueryExecution"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}
我刚刚在 serverless.yml 文件中添加了这些项目,即在 iamRoleStatements 标签下允许访问 athena 和胶水,它对我有用。
iamRoleStatements:
- Effect: "Allow"
Action:
- "s3:*"
Resource:
- arn:aws:s3:::${self:custom.bucket}
- arn:aws:s3:::${self:custom.bucket}/*
- Effect: "Allow"
Action:
- "glue:*"
Resource:
- "*"
- Effect: "Allow"
Action:
- "athena:*"
Resource:
- "*"
我正在使用无服务器在 aws 上部署 lambda 函数。当在特定存储桶中创建对象并在 Athena 中插入记录时,我的 lambda 函数被触发。当部署 lambda 函数并触发 lambda 时,它会给我以下错误:
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the StartQueryExecution operation: User: arn:aws:sts::[SERVICE]:assumed-role/[PROJECT]-dev-us-east-1-lambdaRole/[SERVICE]-dev-collector is not authorized to perform: athena:StartQueryExecution on resource: arn:aws:athena:us-east-1:[MY_ACCOUNT_NO]:workgroup/primary.
我的serveless.yml是
service: MY_SERVICE
plugins:
- serverless-python-requirements
custom:
bucket: MY_BUCKET
pythonRequirements:
pythonBin: python3
provider:
name: aws
runtime: python3.7
stage: dev
region: us-east-1
iamRoleStatements:
- Effect: "Allow"
Action:
- "s3:*"
Resource:
- arn:aws:s3:::${self:custom.bucket}
- arn:aws:s3:::${self:custom.bucket}/*
- Effect: "Allow"
Action:
- "athena:*"
Resource:
- arn:aws:s3:::${self:custom.bucket}
- arn:aws:s3:::${self:custom.bucket}/*
functions:
collector:
handler: collector.run
events:
- s3:
bucket: ${self:custom.bucket}
event: s3:ObjectCreated:*
rules:
- prefix: test_folder/
existing: true
知道如何向 lambda 函数授予权限,以便它可以在 athena 中插入记录吗? 提前致谢。
Lambda 执行角色应允许访问 Athena。和您的 S3 存储桶。
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"athena:StartQueryExecution"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::your-bucket-name/*"
}
]
}
我刚刚在 serverless.yml 文件中添加了这些项目,即在 iamRoleStatements 标签下允许访问 athena 和胶水,它对我有用。
iamRoleStatements:
- Effect: "Allow"
Action:
- "s3:*"
Resource:
- arn:aws:s3:::${self:custom.bucket}
- arn:aws:s3:::${self:custom.bucket}/*
- Effect: "Allow"
Action:
- "glue:*"
Resource:
- "*"
- Effect: "Allow"
Action:
- "athena:*"
Resource:
- "*"