您的位置: 首页  >  技术问答  >  使用其他帐户从Python Lambda访问AWS Athena

使用其他帐户从Python Lambda访问AWS Athena

分类: 技术问答 2022-05-23 10:08:17
问题描述:

我有两个帐户A和B。S3存储桶和Athena View在帐户A中,而Lambda在帐户B中。我想通过我的Lambda呼叫Athena。我还允许在S3存储桶策略中使用Lambda执行角色。当我尝试从Lambda调用数据库时,它以'Status'的形式给我错误:{'State':'FAILED','StateChangeReason':'SYNTAX_ERROR:第1:15行:模式db_name不存在'

I have two account A and B. S3 Buckets and Athena View is in account A and Lambda is in Account B. I want to call Athena from my Lambda. I have also allowed Lambda Execution Role in S3 Bucket Policy. When I try to call Database from Lambda, it gives me error as 'Status': {'State': 'FAILED', 'StateChangeReason': 'SYNTAX_ERROR: line 1:15: Schema db_name does not exist'

下面是我的Lambda代码:

Below is my Lambda Code:

import boto3
import time

def lambda_handler(event, context):

    athena_client = boto3.client('athena')
    client_exc = athena_client.start_query_execution(
        QueryString='SELECT * FROM db_name.athena_view',
        ResultConfiguration={'OutputLocation': 's3://my-athena-out-bucket/'}
    )

    resp= athena_client.get_query_results(QueryExecutionId=client_exc['QueryExecutionId'])

请指导。

您有:


  • Account-A中的Amazon S3存储桶

  • Account-A中的Amazon Athena

  • 账户B
    • 中的AWS Lambda函数
  • Amazon S3 bucket in Account-A
  • Amazon Athena in Account-A
  • AWS Lambda function in Account-B

(这与您的上一个问题不同,在该问题中您遇到了雅典娜帐户B 中的帐户访问帐户A 中的S3。在这种情况下, Account-A 中的存储桶策略足以为在 Account-B 中运行的Athena授予对S3的访问权限>。)

(This differs from your previous question, where you had Athena in Account-B accessing S3 in Account-A. In that scenario, a Bucket policy in Account-A was sufficient to grant access to S3 for Athena running in Account-B.)

Amazon Athena在具有IAM用户或IAM角色调用权限的情况下运行。因此,使用Athena的用户或角色需要权限才能访问Amazon S3中的数据。在您之前的问题中,这是通过桶策略完成的,该策略使Lambda有权访问其他帐户中的桶。

Amazon Athena runs with the permissions of the IAM User or IAM Role that calls it. Therefore, the user or role that uses Athena needs permission to access the data in Amazon S3. In your previous question, this was accomplished via a Bucket Policy that provided Lambda with permission to access a bucket in a different account.

但是,在 this 问题,您有 Lambda帐户要在另一个帐户中使用Amazon Athena 。无法向其他帐户中的用户授予Athena访问权限。因此,您的Lambda函数需要在Athena帐户中扮演角色

However, in this question, you have Lambda in one account wanting to use Amazon Athena in a different account. There is no ability to grant Athena access to users in a different account. Therefore, your Lambda function will need to assume a role in the Athena account.

因此:


  • 帐户A (使用Athena)中创建IAM角色,以授予使用Athena 的权限>相关的Amazon S3存储桶

  • 账户B 中的Lambda函数:


    • 应调用 AssumeRole()以成为上述角色

    • 应使用提供的凭据创建一个新的 Session ,该会话用于为Athena创建一个boto3客户端

    • Create an IAM Role in Account-A (with Athena) that grants access to use Athena and the relevant Amazon S3 buckets
    • The Lambda function in Account-B:
      • Should call AssumeRole() to 'become' the above role
      • Should use the credentials provided back to create a new Session, which is used to create a boto3 client for Athena

      这将导致Lambda在 Account-A 中访问Athena,包括已创建的任何表和视图。

      This will result in Lambda having access to Athena in Account-A, including any tables and views already created.

      如果您不需要Athena中定义的现有表和视图,则可以将 same 帐户中的Athena用作Lambda,但使用源S3存储桶需要根据您的权限授予对Lambda的IAM角色的访问权限上一个问题

      If you do not require the existing tables and views defined in Athena, then you could use Athena in the same account as Lambda, but the source S3 bucket would need to grant access to Lambda's IAM Role, as per your previous question.

相关推荐