Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Access Denied for Data Analysis and Visualization in AWS Workshop

0

I am closely following the Data Analysis and Visualization in AWS wokrshop. Once I create a job in Glue Databrew and select the role that we set up with the permission given by the workshop, I get this error:

Access denied to s3:ListBucket for arn:aws:iam::311516367207:role/AWSGlueDataBrewServiceRole-data-analyst for location s3://my-bucket-311516367207/data-analysis-lab/. Error: Access Denied

Howver, when I run the permission simulator from my admin account, it says that the user does have permission to list bucket. I even redid the entire workshop from the beginning, and it still marks this error.

Themen
AnalysenSicherheit, Identität & Konformität
Tags
AWS Glue DataBrewIAM-RichtlinienAWS-Werkstattstudio
Sprache
English
Jessica Donley
gefragt vor 3 Monaten149 Aufrufe
1 Antwort
0

Ensure that the IAM role AWSGlueDataBrewServiceRole-data-analyst has trust relationships with the Glue service. Here's a sample trust policy assuming Glue is the service requiring access:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "glue.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Update the IAM policy attached to the role AWSGlueDataBrewServiceRole-data-analyst to allow the necessary S3 actions (s3:ListBucket, s3:GetObject, etc.) on the specific bucket (s3://my-bucket-311516367207/data-analysis-lab/). Here's a sample IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket-311516367207/data-analysis-lab",
        "arn:aws:s3:::my-bucket-311516367207/data-analysis-lab/*"
      ]
    }
  ]
}

(Optional): Ensure that the S3 bucket (my-bucket-311516367207) has a policy allowing the necessary actions for the IAM role. Here's a sample bucket policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::311516367207:role/AWSGlueDataBrewServiceRole-data-analyst"
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket-311516367207/data-analysis-lab/",
        "arn:aws:s3:::my-bucket-311516367207/data-analysis-lab/*"
      ]
    }
  ]
}
profile picture
EXPERTE
Osvaldo Marte
beantwortet vor 3 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt