感谢您花时间帮我解决以下问题。
我创建了一个基于最小权限的访问策略,以便用户只能根据以下代码在名为 finance-analyst-dev 的 Athena 工作组中运行查询:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3Permissions",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::datalake-finance-0123456789123-analytics-dev",
"arn:aws:s3:::datalake-finance-0123456789123-analytics-dev/*"
]
},
{
"Sid": "AthenaPermissions",
"Effect": "Allow",
"Action": [
"athena:StartQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults",
"athena:ListQueryExecutions",
"athena:GetWorkGroup",
"athena:CreateNamedQuery",
"athena:DeleteNamedQuery",
"athena:GetNamedQuery",
"athena:ListNamedQueries",
"athena:BatchGetNamedQuery",
"athena:BatchGetQueryExecution",
"athena:UpdateNamedQuery",
"athena:ListWorkGroups"
],
"Resource": [
"arn:aws:athena:us-east-1:0123456789123:workgroup/finance-analyst-dev"
]
},
{
"Sid": "GluePermissions",
"Effect": "Allow",
"Action": [
"glue:GetDatabases",
"glue:GetTables",
"glue:GetTable",
"glue:GetPartitions"
],
"Resource": [
"arn:aws:glue:us-east-1:0123456789123:catalog",
"arn:aws:glue:us-east-1:0123456789123:database/finance-analytics-dev",
"arn:aws:glue:us-east-1:0123456789123:table/finance-analytics-dev/*"
]
}
]
}
但是,在访问控制台时,用户继续被告知不能对资源执行athena:GetWorkGroup操作。
请务必注意,我不希望此用户访问主要工作组。
再次感谢
此策略中的所有其他权限都正常工作。