metabase-athena-driver icon indicating copy to clipboard operation
metabase-athena-driver copied to clipboard

Published 20 hours ago verified publisher icon dacort

Glue availability check failed due to missing permission

Open matthias-pichler opened this issue 3 years ago • 3 comments

It seems that the sample policy in the readme is missing glue:GetCatalogImportStatus

I got the following error:

Jun 22 14:32:00.128 DEBUG 699 com.simba.athena.athena.api.AJClient.checkGlueSupport: An exception was caught during AWS Glue availability detection operation. Detail: com.simba.athena.amazonaws.services.glue.model.AccessDeniedException: User: arn:aws:sts::xxxxx:assumed-role/metabase-service-prod-TaskRole30FC0FBB-R2HVOCHLUUGP/a499929205b74b0ca2e3f65456e66625 is not authorized to perform: glue:GetCatalogImportStatus on resource: arn:aws:glue:eu-west-1:xxxxx:catalog because no identity-based policy allows the glue:GetCatalogImportStatus action (Service: AWSGlue; Status Code: 400; Error Code: AccessDeniedException; Request ID: e8fb47f5-70a2-4c43-81e2-95af8b11fdc3; Proxy: null)

matthias-pichler avatar Jun 22 '22 14:06 matthias-pichler

Interesting - I hadn't run into that one before. I will try to validate the current policy - I don't think I've updated it since upgrading the JDBC driver so there could likely be some gaps. Thank you!

dacort avatar Jun 22 '22 14:06 dacort

It might be related to the fact that I have AWS LakeFormation enabled in this account

matthias-pichler avatar Jun 22 '22 14:06 matthias-pichler

Ah yep, that was going to be a guess of mine. Thanks for that extra detail!

dacort avatar Jun 23 '22 06:06 dacort

Closing as part of cleanup now that Athena is officially supported by Metabase. Any future issues can be asked about on their forum or with a detailed bug report.

dacort avatar Dec 08 '22 18:12 dacort