-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
(stepfunctions-tasks): AthenaStartQueryExecution construct creates insufficient IAM PolicyDocument #25875
Comments
Hm, it looks like it should be adding an asterisk no matter what: aws-cdk/packages/@aws-cdk/aws-stepfunctions-tasks/lib/athena/start-query-execution.ts Line 109 in 0eec163
How did you define |
|
@peterwoodworth - When I view the compiled TS for line 109, this is what comes out - I don't see it appending an asterisk after objectKey policyStatements.push(new iam.PolicyStatement({
actions: ['s3:AbortMultipartUpload',
's3:ListBucketMultipartUploads',
's3:ListMultipartUploadParts',
's3:PutObject'],
resources: [
this.props.resultConfiguration?.outputLocation?.bucketName
? cdk.Stack.of(this).formatArn({
region: '',
account: '',
service: 's3',
resource: this.props.resultConfiguration?.outputLocation?.bucketName,
resourceName: this.props.resultConfiguration?.outputLocation?.objectKey,
})
: '*',
], |
Yeah @jamescorrenti I'm seeing the exact same thing in the compilation. It's because the link I provided earlier isn't from a recent commit, I must have accidentally been looking at v1. The code was updated as of Here is the current code, should only need to adjust it such that the aws-cdk/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/athena/start-query-execution.ts Lines 103 to 123 in 3196cbc
|
|
Describe the bug
When synthesizing the following CDK/Python snippet, the resulting IAM configuration does not allow Athena to write the results to the designated output_bucket location:
Expected Behavior
I expect the policy to end in a dash and an asterisk, to ensure that the required Actions can take place on the resources inside the folder:
Current Behavior
The current Policy does not end in an asterisk, causing permission issues when output is written to the location:
The result of the current behavior is that Athena is not able to execute the query, and errors out with the following:
Reproduction Steps
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.82.0 (build 3a8648a)
Framework Version
No response
Node.js Version
Node.js v20.1.0
OS
macOS Ventura 13.4
Language
Python
Language Version
Python 3.11.0
Other information
Changing the
object_key
variable to"results/*"
causes the correct IAM Policy to be created, but the addition of the /* causes the actual location of the files in the S3 bucket to become:s3://S3_BUCKET_NAME/results/*/b7f41696-c586-49ec-a915-51e7e1379110.csv
The text was updated successfully, but these errors were encountered: