Why am I getting the error “Insufficient Lake Formation permissions on <Amazon S3 location>” in Amazon Athena even though my IAM user or role has the required S3 permissions?
Last updated: 2022-02-22
When I try to create a database/table in Amazon Athena using the Amazon Simple Storage Service (Amazon S3) location that's registered with AWS Lake Formation, the query fails with the error "Insufficient Lake Formation permission(s) on
You get this error when the following conditions are true:
- The IAM user or role tries to create or alter a Data Catalog resource (database or table) on an Amazon S3 bucket that's registered with Lake Formation.
- The IAM user or role doesn’t have the appropriate data location permissions from Lake Formation.
To resolve this error, you must grant appropriate data location permissions to the IAM user or role that you use to create the database or table. When you're using Athena with Lake Formation, be sure to grant the required S3 permissions to the IAM user or role from Lake Formation in addition to the data access permissions required by the IAM user or role. Data access permissions allow the IAM user or role to read and write data to the underlying Amazon S3 location. However, data location permissions in Lake Formation allow an IAM user or role to create and alter Data Catalog resources that point to the registered Amazon S3 location.
To resolve this error, do the following:
- Verify that S3 path in Athena is registered with Lake Formation successfully.
- Grant the required data location permissions to the IAM user or role to access the S3 path.
Verify that the data lake location is registered with Lake Formation
Grant data location permissions from the AWS Lake Formation console
- In the navigation pane, choose Data locations.
- Select Grant.
- In the Grant permissions dialog box, select My account.
- For IAM users and roles, select the IAM user or role that you want to grant permissions for.
- For Storage locations, select the S3 path that you’re getting the error from.
- Choose Grant.
Note: Follow these steps only if the S3 path is within the same account. If the S3 path is in a different account, then be sure that all cross-account access prerequisites are met. Then, follow the instructions provided in Granting data location permissions (external account).