KNOWLEDGE BASE

Error "Access Denied" when trying to connect to Amazon Athena


Published: 15 Jun 2021
Last Modified Date: 15 Jun 2021

Issue

When trying to connect to Amazon Athena, an error occurs:

Unexpected Error

[Simba][AthenaJDBC](100071) An error has been thrown from the AWS Athena client. com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied;

Error Code: E88DBC3B

Environment

  • Tableau Desktop 2019.1 or higher
  • Amazon Athena

Resolution

Work with your IT team to troubleshoot the "Access Denied" error, confirm the following.
  • Be sure that the IAM user has the required permissions to access the source data bucket and query result bucket
  • Attach the Amazon S3 bucket policy with required permissions for cross-account queries
  • Update your AWS KMS key policy
  • Be sure that the S3 bucket owner has access to objects
  • Verify that the AWS Glue Data Catalog policy allows access to the IAM user/role

Cause

The "Access Denied" error indicates that the issue occurs at Amazon Athena side and is usually caused by the following reasons:
  • The AWS Identity and Access Management (IAM) user doesn't have one or more of the following permissions:
  • Read the source data bucket.
  • Write the results to the query result bucket.
  • The Amazon Simple Storage Service (Amazon S3) bucket policies don't allow the required permissions to the IAM user.
  • The object owner is different from the Amazon S3 bucket owner.
  • You don't have access to the AWS Key Management Service (AWS KMS) key that's used to read or write the encrypted data.
  • The AWS Glue Data Catalog policy doesn't allow access to the IAM user.
Did this article resolve the issue?