StartQueryExecution操作:无法验证/创建输出存储桶

2024-05-13 21:07:41 发布

您现在位置:Python中文网/ 问答频道 /正文
880 3

我正在尝试使用python在Athena上执行查询

示例代码

   client = boto3.client(
        'athena', 
        region_name=region,
        aws_access_key_id=AWS_ACCESS_KEY_ID,
        aws_secret_access_key=AWS_SECRET_ACCESS_KEY
    )
    execution = client.start_query_execution(
        QueryString=query,
        QueryExecutionContext={
            'Database': database
        },
        WorkGroup=workgroup,
        ResultConfiguration={
            'OutputLocation': S3_OUTPUT_LOCATION
        }
    )

这是工作代码,但我得到了一个不寻常的情况

  • 有一天,它抛出了一个InvalidRequestException错误 错误
InvalidRequestException: An error occurred (InvalidRequestException) when calling the StartQueryExecution operation: Unable to verify/create output bucket <BUCKET NAME>
  • 根据DevOps应用程序的所有权限,它应该可以工作
  • 我们尝试在AWS Athena控制台(查询编辑器)上执行相同的查询。它在那里工作
  • 然后我们重新运行python脚本,它不会抛出任何错误
  • 但是第二天,python脚本开始抛出同样的InvalidRequestException错误
  • 然后我们在AWS Athena控制台(查询编辑器)上执行相同的查询,并重新运行python脚本,它开始工作

我们观察了这一场景几天,每24小时python脚本抛出一次错误,然后在Athena控制台(查询编辑器)上执行查询并重新运行python脚本。 我不明白为什么会这样,是否有任何许可问题

权限:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "athena:GetWorkGroup",
                "athena:StartQueryExecution",
                "athena:ListDatabases",
                "athena:StopQueryExecution",
                "athena:GetQueryExecution",
                "athena:GetQueryResults",
                "athena:GetDatabase",
                "athena:GetDataCatalog",
                "athena:ListQueryExecutions",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<BUCKET NAME>",
                "arn:aws:s3:::<BUCKET NAME>/*",
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "athena:UpdateWorkGroup",
            ],
            "Resource": [
                "arn:aws:s3:::<BUCKET NAME>/*",
                "arn:aws:s3:::<BUCKET NAME>",
                "arn:aws:athena:*:<BUCKET NAME>/<PATH>",
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "athena:ListDataCatalogs",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        }
    ]
}

Tags: name脚本clientawss3bucket错误编辑器
2条回答
网友
1楼 · 编辑于 2024-05-13 21:07:41

我今天也遇到了同样的错误,发现执行角色还需要s3:GetBucketLocation权限,AWS文档:https://aws.amazon.com/premiumsupport/knowledge-center/athena-output-bucket-error/

网友
2楼 · 编辑于 2024-05-13 21:07:41

我也遇到了同样的问题——随机失败。问题是s3:GetBucketLocation策略配置错误。它与其他s3操作捆绑在同一个集群中,其中资源指向s3存储桶,包括路径。它不是这样工作的

我修复了它如下,现在工作

- Effect: Allow
  Action:
    - s3:GetBucketLocation
  Resource:
    - arn:aws:s3:::*
- Effect: Allow
  Action:
    - s3:PutObject
    - s3:GetObject
  Resource:
    - arn:aws:s3:::<BUCKET NAME>/<PATH>/*

见文件:https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html

相关问题 更多 >

    编程相关推荐