python 3.x - Run queries in AWS Athena from boto3 gives bad permissions

Question

When trying to run queries from python (boto3) to AWS Athena, the following error is raised:

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the StartQueryExecution operation: User: arn:aws:iam::account-id:user/sa.prd is not authorized to perform: athena:StartQueryExecution on resource: arn:aws:athena:us-east-1:account-id:workgroup/primary

I don't have access to AWS console. I was also informed that there is another user "sa.prd.athena" that has the right permissions (what seems not to happen to "sa.prd").

• Is it possible to use boto3 specifying a different user? Now don't use any specific user.
• If not possible to use a different user, is it possible to set some kind of policy to be used by boto3 in runtime execution (this because I don't have access to AWS management console)

Thanks,

BR

question from:https://stackoverflow.com/questions/65943103/run-queries-in-aws-athena-from-boto3-gives-bad-permissions

Answer 1

The User in AWS is determined by the credentials that are used to sign the API call to the AWS API. There are several ways to pass these credentials to AWS SDKs in general (and boto3 in particular).

It looks for credentials in these places and takes them from the first one where they're present:

1. Hard-Coded credentials while instantiating a client
2. Credentials stored in environment variables
3. Credentials stored in ~/.aws/credentials (By default it uses those of the default profile)
4. In the instance metadata service on EC2/ECS/Lambda

Since you're not directly setting up credentials, I assume it takes them from the SDK configuration (3), so you could just overwrite them while instantiating your Athena client like this:

import boto3

athena_client = boto3.client(
    'athena',
    aws_access_key_id=ACCESS_KEY,
    aws_secret_access_key=SECRET_KEY,
    aws_session_token=SESSION_TOKEN
)

This is an adapted example from the documentation, you need to specify your credentials instead of the uppercase variables.

Hardcoding these is considered bad practice though, so you might want to look into option (2) using environment variables, or setting up another profile in your local SDK and telling the client to use that. Information on that can be found in the boto3-docs I linked above.