From 54b342cc53f36d3daec68d6e3e00483660c7e9fc Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Wed, 11 Nov 2020 17:54:51 +0000 Subject: [PATCH 1/2] Fixed the Athena policy issue to allow access to userDefinedFunction ARN Updated the resource name from `userdefinedfunction` to `userDefinedFunction`. This will reflect the correct arn for user-defined function as mentioned on page 257 in https://docs.aws.amazon.com/athena/latest/ug/athena-ug.pdf Incorrect ARN: `arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:userdefinedfunction/*` After applying the change correct ARN: `arn:${AWS::Partition}:glue:${AWS::Region}:${AWS::AccountId}:userDefinedFunction/*` --- .../aws-stepfunctions-tasks/lib/athena/start-query-execution.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/athena/start-query-execution.ts b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/athena/start-query-execution.ts index 50dc1b03a24bc..161c0b7019e9d 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/lib/athena/start-query-execution.ts +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/lib/athena/start-query-execution.ts @@ -157,7 +157,7 @@ export class AthenaStartQueryExecution extends sfn.TaskStateBase { }), cdk.Stack.of(this).formatArn({ service: 'glue', - resource: 'userdefinedfunction', + resource: 'userDefinedFunction', resourceName: (this.props.queryExecutionContext?.databaseName ?? 'default') + '/*', // grant access to get all user defined functions for the particular database in the request or the default database https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsglue.html }), ], From d198c3a20f1892334978792cf425f2b1f0e3ae76 Mon Sep 17 00:00:00 2001 From: Shiv Lakshminarayan Date: Thu, 12 Nov 2020 13:21:35 -0800 Subject: [PATCH 2/2] update integ test expectations --- .../test/athena/integ.get-query-execution.expected.json | 4 ++-- .../test/athena/integ.get-query-results.expected.json | 4 ++-- .../test/athena/integ.start-query-execution.expected.json | 4 ++-- .../test/athena/integ.stop-query-execution.expected.json | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/athena/integ.get-query-execution.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/athena/integ.get-query-execution.expected.json index 07442708a7080..2e06603d20af1 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/athena/integ.get-query-execution.expected.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/athena/integ.get-query-execution.expected.json @@ -89,7 +89,7 @@ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject" - ], + ], "Effect": "Allow", "Resource": "*" }, @@ -208,7 +208,7 @@ { "Ref": "AWS::AccountId" }, - ":userdefinedfunction/mydatabase/*" + ":userDefinedFunction/mydatabase/*" ] ] } diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/athena/integ.get-query-results.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/athena/integ.get-query-results.expected.json index b11ec6cee2c3a..444c2edcf72de 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/athena/integ.get-query-results.expected.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/athena/integ.get-query-results.expected.json @@ -89,7 +89,7 @@ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject" - ], + ], "Effect": "Allow", "Resource": "*" }, @@ -208,7 +208,7 @@ { "Ref": "AWS::AccountId" }, - ":userdefinedfunction/mydatabase/*" + ":userDefinedFunction/mydatabase/*" ] ] } diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/athena/integ.start-query-execution.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/athena/integ.start-query-execution.expected.json index 200fc56302b66..fb4d0e0169f51 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/athena/integ.start-query-execution.expected.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/athena/integ.start-query-execution.expected.json @@ -89,7 +89,7 @@ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject" - ], + ], "Effect": "Allow", "Resource": "*" }, @@ -208,7 +208,7 @@ { "Ref": "AWS::AccountId" }, - ":userdefinedfunction/mydatabase/*" + ":userDefinedFunction/mydatabase/*" ] ] } diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/athena/integ.stop-query-execution.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/athena/integ.stop-query-execution.expected.json index a25e8d93b5bba..aa90bd274d85f 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/athena/integ.stop-query-execution.expected.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/athena/integ.stop-query-execution.expected.json @@ -89,7 +89,7 @@ "s3:ListBucket", "s3:GetBucketLocation", "s3:GetObject" - ], + ], "Effect": "Allow", "Resource": "*" }, @@ -208,7 +208,7 @@ { "Ref": "AWS::AccountId" }, - ":userdefinedfunction/mydatabase/*" + ":userDefinedFunction/mydatabase/*" ] ] }