What should I edit in AWS bucket policy to work with MWAA (Airflow)

Question

I have tried creating several buckets in AWS (all public access blocked) which have 
`            "Action": [
                "s3:GetEncryptionConfiguration"
            ]`
included.

However, I keep getting the error `Error occurred while trying to read bucket encryption configuration, please ensure that the s3:GetEncryptionConfiguration IAM permission is present` at the airflow environment creation stage. Where should I be adding this IAM permission and how?

Answer

I believe this could be due to one of these two:

* Are you using an S3 bucket owned by a different account? MWAA executes the code inside the provided bucket and as such the security standard regarding this S3 bucket is to be kept very high. As part of that, only buckets within the same account as the user trying to create the environment are allowed.
* The S3 bucket field needs a high level S3 bucket in the format of `s3://mybucket`. It does not allow folders or prefixes. So, if you are using `s3://mybucket/my-prefix` that would not work

Let me know if that fixes your problem

Answer

Thank you. It was probably number 2 - having used a folder. But I had fixed it using CloudFormation (which creates a top level bucket within the config) instead of going through the web console. Appreciate the help!

What should I edit in AWS bucket policy to work with MWAA (Airflow)

Contenido relevante