Skip to content

Accessing S3 Object in EMR Trino

The Privacera Trino plugin performs authorization checks to determine whether a user is permitted to access a specified Amazon S3 path. It does not perform S3 authentication or request signing.

All S3 authentication and request signing are handled by Trino running on Amazon EMR, using the IAM role attached to the EMR cluster.

Beginning with EMR Trino version 7.2.0, Trino validates that the EMR cluster IAM role has the required S3 permissions when accessing S3 objects—for example, when creating a table with a location such as s3://test-bucket.

The IAM policy attached to the EMR cluster role must explicitly allow the necessary S3 actions (such as s3:GetObject, s3:ListBucket, and s3:PutObject) on the target S3 bucket or object path, depending on the Trino operation being performed.

Note

This permission requirement is enforced by the Trino client in EMR 7.2.0 onwards and applies even when Privacera is not enabled.

In contrast, the EMR 6.10 Trino client does not enforce this requirement, and the same operation may succeed without the IAM permissions.

Prerequisites

From EMR Trino 7.2.0 onwards, the EMR cluster’s IAM role must include the following minimal S3 permissions for Trino use cases.

Sample IAM Policy

JSON
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::your-bucket",
        "arn:aws:s3:::your-bucket/*"
      ],
      "Sid": "EmrTrinoS3Limited"
    }
  ]
}