对启用 Spark 的工作组进行故障排除 - Amazon Athena
使用现有 IAM 角色时,会话会停止响应

对启用 Spark 的工作组进行故障排除

可使用以下信息在 Athena 中对启用 Spark 的工作组进行故障排除。

使用现有 IAM 角色时,会话会停止响应

如果您没有为启用 Spark 的工作组创建新的 AWSAthenaSparkExecutionRole,而是更新或选择了现有 IAM 角色,则会话可能会停止响应。在这种情况下,您可能需要向启用 Spark 的工作组执行角色添加以下信任和权限策略。

添加以下示例信任策略。该策略包含对执行角色进行混淆代理检查。将 111122223333aws-regionworkgroup-name 的值替换为您正在使用的 AWS 账户 ID、AWS 区域 和工作组。

JSON
{
    "Version": "2012-10-17",		 	 	 
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "athena.amazonaws.com"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "111122223333"
                },
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:athena:us-east-1:111122223333:workgroup/workgroup-name"
                }
            }
        }
    ]
}

为启用笔记本的工作组添加类似于以下默认策略的权限策略。修改占位符 Amazon S3 位置和 AWS 账户 ID,使其与您正在使用的位置和 ID 相对应。将 amzn-s3-demo-bucketaws-region111122223333workgroup-name 的值替换为您正在使用的 Amazon S3 存储桶、AWS 区域、AWS 账户 ID 和工作组。

JSON
{ "Version": "2012-10-17",		 	 	  "Statement": [ { "Effect": "Allow", "Action": [
    "s3:PutObject", "s3:ListBucket", "s3:DeleteObject", "s3:GetObject" ], "Resource": [
        "arn:aws:s3:::amzn-s3-demo-bucket/*",
        "arn:aws:s3:::amzn-s3-demo-bucket" ] }, { "Effect": "Allow",
    "Action": [ "athena:GetWorkGroup", "athena:CreatePresignedNotebookUrl",
    "athena:TerminateSession", "athena:GetSession", "athena:GetSessionStatus",
    "athena:ListSessions", "athena:StartCalculationExecution", "athena:GetCalculationExecutionCode",
    "athena:StopCalculationExecution", "athena:ListCalculationExecutions",
    "athena:GetCalculationExecution", "athena:GetCalculationExecutionStatus",
    "athena:ListExecutors", "athena:ExportNotebook", "athena:UpdateNotebook" ], "Resource":
            "arn:aws:athena:us-east-1:111122223333:workgroup/workgroup-name"
    }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams",
    "logs:CreateLogGroup", "logs:PutLogEvents" ], "Resource": [
            "arn:aws:logs:us-east-1:111122223333:log-group:/aws-athena:*",
            "arn:aws:logs:us-east-1:111122223333:log-group:/aws-athena*:log-stream:*"
    ] }, { "Effect": "Allow", "Action": "logs:DescribeLogGroups", "Resource":
            "arn:aws:logs:us-east-1:111122223333:log-group:*"
    }, { "Effect": "Allow", "Action": [ "cloudwatch:PutMetricData" ], "Resource": "*", "Condition":
    { "StringEquals": { "cloudwatch:namespace": "AmazonAthenaForApacheSpark" } } } ] }