When I run an Amazon Athena query, I get an "Access Denied" error. What might be causing this, and how do I fix it?

Athena reads data from Amazon Simple Storage Service (Amazon S3) buckets using the AWS Identity and Access Management (IAM) credentials of the user who submitted the query. Query results are stored in a separate S3 bucket. Usually, an "Access Denied" error means that you don't have permission to read the data in the bucket or permission to write to the results bucket.

To troubleshoot this issue, confirm the following:

  • The IAM user has an attached policy that allows access to Athena, such as AmazonAthenaFullAccess. If you change the default location of the results bucket (aws-athena-query-results-*), be sure that the IAM user has permission to read and write to the new location.
  • The bucket policies and object ACLs allow the IAM user to access the objects in the buckets. If the IAM user is in a different AWS account, see Cross-account Access.
  • The S3 location matches the format s3://bucket/path. Don't include the endpoint. For example, s3://us-east-1.amazonaws.com/bucket/path results in an "Access Denied" error.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-12-15

Updated: 2018-11-19