Troubleshoot Spark-enabled workgroups
Use the following information to troubleshoot Spark-enabled workgroups in Athena.
Session stops responding when using an existing IAM role
If you did not create a new AWSAthenaSparkExecutionRole
for your Spark
enabled workgroup and instead updated or chose an existing IAM role, your session
might stop responding. In this case, you may need to add the following trust and
permissions policies to your Spark enabled workgroup execution role.
Add the following example trust policy. The policy includes a confused deputy check
for the execution role. Replace the values for
,
111122223333
, and
aws-region
with the AWS account
ID, AWS Region, and workgroup that you are using.workgroup-name
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "athena.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "
111122223333
" }, "ArnLike": { "aws:SourceArn": "arn:aws:athena:aws-region
:111122223333
:workgroup/workgroup-name
" } } } ] }
Add a permissions policy like the following default policy for notebook enabled
workgroups. Modify the placeholder Amazon S3 locations and AWS account IDs to correspond to
the ones that you are using. Replace the values for amzn-s3-demo-bucket
,
,
aws-region
, and
111122223333
with the Amazon S3 bucket,
AWS Region, AWS account ID, and workgroup that you are using.workgroup-name
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:ListBucket", "s3:DeleteObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::amzn-s3-demo-bucket/*", "arn:aws:s3:::amzn-s3-demo-bucket" ] }, { "Effect": "Allow", "Action": [ "athena:GetWorkGroup", "athena:CreatePresignedNotebookUrl", "athena:TerminateSession", "athena:GetSession", "athena:GetSessionStatus", "athena:ListSessions", "athena:StartCalculationExecution", "athena:GetCalculationExecutionCode", "athena:StopCalculationExecution", "athena:ListCalculationExecutions", "athena:GetCalculationExecution", "athena:GetCalculationExecutionStatus", "athena:ListExecutors", "athena:ExportNotebook", "athena:UpdateNotebook" ], "Resource": "arn:aws:athena:
:
aws-region
111122223333
:workgroup/workgroup-name
" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams", "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs::
aws-region
111122223333
:log-group:/aws-athena:*", "arn:aws:logs::
aws-region
111122223333
:log-group:/aws-athena*:log-stream:*" ] }, { "Effect": "Allow", "Action": "logs:DescribeLogGroups", "Resource": "arn:aws:logs::
aws-region
111122223333
:log-group:*" }, { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*", "Condition": { "StringEquals": { "cloudwatch:namespace": "AmazonAthenaForApacheSpark" } } } ] }