Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What permissions are needed for Athena queries? #782

Closed
andy-han opened this issue Jun 29, 2021 · 3 comments · Fixed by #797
Closed

What permissions are needed for Athena queries? #782

andy-han opened this issue Jun 29, 2021 · 3 comments · Fixed by #797
Assignees
@jaidisido
Labels
bug Something isn't working major release Will be addressed in the next major release ready to release
Milestone
2.10.0

Comments

@andy-han
Copy link

andy-han commented Jun 29, 2021
edited
Loading

In the documentation for making read_sql_query requests, it says that if you choose to use ctas_approach=True it requires create/delete table permissions on Glue. If I also set ctas_database_name, why do I still need permissions on the database?

For example:

df = wr.athena.read_sql_query(
            SELECT * FROM my_table LIMIT 10;",
            database="temp1",
            ctas_database_name="temp2",
            boto3_session=session,
        )

is erroring unless I give my role permission to CreateTable and DeleteTable on 'temp1'. Can you provide a list of iam and LakeFormation permissions or more verbose examples of how to use "ctas_database_name"?

I want wrangler to have no access to create/delete tables in my main db but full access to do whatever it wants in the ctas_database_name database for any temporary tables
@andy-han andy-han added the question Further information is requested label Jun 29, 2021
@jaidisido
Copy link
Contributor

Thank you for raising this @andy-han, I believe it's a bug on our end. Specifically this line where the temporary table is deleted once the submitted query has completed. At the moment it always attempts to delete a table in the original database, regardless of whether a ctas_database_name parameter was provided or not. Modifying that line to:

catalog.delete_table_if_exists(database=ctas_database_name or database, table=name, boto3_session=boto3_session)

should solve the issue. I will raise a PR to mitigate this.

@jaidisido jaidisido self-assigned this Jul 3, 2021
@jaidisido jaidisido added bug Something isn't working and removed question Further information is requested labels Jul 3, 2021
@jaidisido jaidisido added this to the 2.10.0 milestone Jul 3, 2021
@jaidisido jaidisido mentioned this issue Jul 6, 2021
Merged
@jaidisido
Copy link
Contributor

This has now been merged to main and can be tested:

pip uninstall awswrangler -y
pip install git+https://github.com/awslabs/aws-data-wrangler.git@main

until it's available in the next release.

@jaidisido jaidisido added major release Will be addressed in the next major release ready to release labels Jul 6, 2021
@jaidisido jaidisido linked a pull request Jul 6, 2021 that will close this issue
CTAS table delete #797
Merged
@andy-han
Copy link
Author

andy-han commented Jul 6, 2021

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jaidisido jaidisido

Labels
bug Something isn't working major release Will be addressed in the next major release ready to release
Projects
None yet
Milestone
2.10.0
Development

Successfully merging a pull request may close this issue.

CTAS table delete aws/aws-sdk-pandas
2 participants
@jaidisido @andy-han