对启用 Spark 的工作组进行故障排除 - Amazon Athena
使用现有 IAM 角色时,会话会停止响应
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 中国的 Amazon Web Services 服务入门 (PDF)

对启用 Spark 的工作组进行故障排除

可使用以下信息在 Athena 中对启用 Spark 的工作组进行故障排除。

使用现有 IAM 角色时,会话会停止响应

如果您没有为启用 Spark 的工作组创建新的 AWSAthenaSparkExecutionRole,而是更新或选择了现有 IAM 角色,则会话可能会停止响应。在这种情况下,您可能需要向启用 Spark 的工作组执行角色添加以下信任和权限策略。

添加以下示例信任策略。该策略包含对执行角色进行混淆代理检查。将 111122223333aws-regionworkgroup-name 的值替换为您正在使用的 Amazon Web Services 账户 ID、Amazon Web Services 区域 和工作组。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "athena.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "111122223333"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:athena:aws-region:111122223333:workgroup/workgroup-name"
                }
            }
        }
    ]
}

为启用笔记本的工作组添加类似于以下默认策略的权限策略。修改占位符 Amazon S3 位置和 Amazon Web Services 账户 ID,使其与您正在使用的位置和 ID 相对应。将 DOC-EXAMPLE-BUCKETaws-region111122223333workgroup-name 的值替换为您正在使用的 Amazon S3 存储桶、Amazon Web Services 区域、Amazon Web Services 账户 ID 和工作组。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*",
                "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "athena:GetWorkGroup",
                "athena:CreatePresignedNotebookUrl",
                "athena:TerminateSession",
                "athena:GetSession",
                "athena:GetSessionStatus",
                "athena:ListSessions",
                "athena:StartCalculationExecution",
                "athena:GetCalculationExecutionCode",
                "athena:StopCalculationExecution",
                "athena:ListCalculationExecutions",
                "athena:GetCalculationExecution",
                "athena:GetCalculationExecutionStatus",
                "athena:ListExecutors",
                "athena:ExportNotebook",
                "athena:UpdateNotebook"
            ],
            "Resource": "arn:aws:athena:aws-region:111122223333:workgroup/workgroup-name"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:DescribeLogStreams",
                "logs:CreateLogGroup",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:aws-region:111122223333:log-group:/aws-athena:*",
                "arn:aws:logs:aws-region:111122223333:log-group:/aws-athena*:log-stream:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "logs:DescribeLogGroups",
            "Resource": "arn:aws:logs:aws-region:111122223333:log-group:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:PutMetricData"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "cloudwatch:namespace": "AmazonAthenaForApacheSpark"
                }
            }
        }
    ]
}