Why am I getting the error “Insufficient Lake Formation permissions on <Amazon S3 location>” in Amazon Athena even though my IAM user or role has the required S3 permissions?

Last updated: 2022-02-22

When I try to create a database/table in Amazon Athena using the Amazon Simple Storage Service (Amazon S3) location that's registered with AWS Lake Formation, the query fails with the error "Insufficient Lake Formation permission(s) on ". However, the Athena AWS Identity and Access Management (IAM) user or role has the necessary IAM permissions.

Resolution

You get this error when the following conditions are true:

  • The IAM user or role tries to create or alter a Data Catalog resource (database or table) on an Amazon S3 bucket that's registered with Lake Formation.
  • The IAM user or role doesn’t have the appropriate data location permissions from Lake Formation.

To resolve this error, you must grant appropriate data location permissions to the IAM user or role that you use to create the database or table. When you're using Athena with Lake Formation, be sure to grant the required S3 permissions to the IAM user or role from Lake Formation in addition to the data access permissions required by the IAM user or role. Data access permissions allow the IAM user or role to read and write data to the underlying Amazon S3 location. However, data location permissions in Lake Formation allow an IAM user or role to create and alter Data Catalog resources that point to the registered Amazon S3 location.

To resolve this error, do the following:

  1. Verify that S3 path in Athena is registered with Lake Formation successfully.
  2. Grant the required data location permissions to the IAM user or role to access the S3 path.

Verify that the data lake location is registered with Lake Formation

  1. Sign in to the AWS Lake Formation console with data lake administrator role.
  2. In the navigation pane, under Register and Ingest, choose Data lake Locations.
    In the Data lake locations listing, verify that the S3 path pointed by the Data Catalog resources is registered with Lake Formation.

Grant data location permissions from the AWS Lake Formation console

  1. In the navigation pane, choose Data locations.
  2. Select Grant.
  3. In the Grant permissions dialog box, select My account.
  4. For IAM users and roles, select the IAM user or role that you want to grant permissions for.
  5. For Storage locations, select the S3 path that you’re getting the error from.
  6. Choose Grant.

Note: Follow these steps only if the S3 path is within the same account. If the S3 path is in a different account, then be sure that all cross-account access prerequisites are met. Then, follow the instructions provided in Granting data location permissions (external account).


Did this article help?


Do you need billing or technical support?