Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen

Access Denied Exception while accessing Cross Region S3 bucket from EMR.

1

I am using EMR 6.13.0(EMR on EC2) and it is present in eu-central-1 region. i have my s3 buckets in eu-central-1 and eu-west-1 region, i can be able to access the s3 buckets present in eu-central-1 but not in eu-west-1. I am getting the error as "An error occurred while calling o4562.save.\n: java.nio.file.AccessDeniedException: s3a://mybucket/path/path2: getFileStatus on s3a://mybucket/path/path2: com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; " Kindly help me to resolve the issue.

1 Antwort
3

Hello,

This access denied exception in cross region bucket would be any one or more than one of the following reasons[1],

  • The user's IAM policy doesn't grant access to the bucket.
  • The object is encrypted by AWS Key Management Service (AWS KMS), and the user doesn't have access to the KMS key.
  • A deny statement in the bucket policy or IAM policy is blocking the user's access.
  • The Amazon Virtual Private Cloud (Amazon VPC) endpoint policy is blocking access to the bucket.
  • The AWS Organizations service control policy is blocking access to the bucket.
  • The object doesn't belong to the AWS account that owns the bucket.
  • Requester Pays is enabled on the bucket.

I would like to advice to look into IAM policy for your s3 bucket and check whether you have provided access to the account that you had your EMR cluster created in [2] [3].

{
  "AuthorizationConfiguration": {
    "EmrFsConfiguration": {
      "RoleMappings": [
        {
          "Role": "arn:aws:iam::DestinationAcctID:role/role_in_destination_account",
          "IdentifierType": "Prefix",
          "Identifiers": [
            "s3://doc-example-bucket/"
          ]
        }
      ]
    }
  }
}

Note that instead of removing suffix /*, you may add another line as below [4] because it would grant access to your s3 bucket and objects within your s3 bucket:

"s3://doc-example-bucket/",
"s3://doc-example-bucket/*"

To check if your account has access to the s3 bucket same region or cross-region, you can simply run $aws s3 ls s3://<bucket>/ on AWS CLI.

[1]https://aws.amazon.com/premiumsupport/knowledge-center/s3-cross-account-access-denied/

[2]https://aws.amazon.com/premiumsupport/knowledge-center/emrfs-cross-account-access/

[3]https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/

[4]https://stackoverflow.com/questions/51442105/cross-account-role-granting-s3-bucket-access-permission-denied

profile pictureAWS
SUPPORT-TECHNIKER
beantwortet vor einem Jahr

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen