Skip to content

Accessing S3 Object in EMR Trino

The Privacera Trino plugin does not sign S3 requests; it only performs access checks. All S3 authentication and request signing are handled by Trino running on EMR, using the IAM role attached to the EMR cluster.

When accessing S3 objects (for example, creating a table with a location such as s3://test-bucket) in EMR Trino 7.2.0, the Trino client validates whether the EMR cluster IAM role has the required S3 permissions.

Specifically, the IAM policy must allow the s3:GetObject action on the target S3 bucket or object path.

Note

This permission requirement is enforced by the Trino client in EMR 7.2.0 and applies even when Privacera is not enabled.

In contrast, the EMR 6.10 Trino client does not enforce this requirement, and the same operation may succeed without the s3:GetObject permission.

Prerequisites

From EMR Trino 7.2.0 onwards, the IAM role attached to the EMR cluster must include the s3:GetObject permission for any S3 locations accessed by Trino.

Sample IAM Policy

JSON
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::your-bucket/*"
    }
  ]
}