By using AWS re:Post, you agree to the AWS re:Post Terms of Use

How do I troubleshoot the Access Denied Exception error when I access my cross-Region Amazon S3 bucket from Amazon EMR?

2 minute read
0

I want to troubleshoot the Access Denied Exception error that I receive when I access my Amazon Simple Storage Service (Amazon S3) bucket from Amazon EMR across AWS Regions.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Check your IAM role permissions

Make sure that the AWS Identity and Access Management (IAM) role that's assigned to your Amazon EMR cluster has the required permissions. To access Amazon S3 bucket and objects in the other Region, you must have s3:GetObject and s3:ListBucket permissions.

To check the IAM role permissions, run the following get-role-policy command:

aws iam get-role-policy --role-name example-cluster-role --policy-name example-policy

Note: Replace example-cluster-role with your Amazon EMR cluster role and example-policy with your policy name.

Check your Amazon S3 bucket policy

Make sure that your S3 bucket policy allows access from the Amazon EMR cluster's IAM role and AWS account. The bucket policy must allow the s3:GetObject and s3:ListBucket permissions to the Amazon EMR cluster's IAM role ARN and account ID.

To view and update the bucket policy, use the Amazon S3 console, or run the following get-bucket-policy command:

aws s3 api get-bucket-policy --bucket example-bucket

Note: Replace example-bucket with your bucket name.

Use an Amazon S3 Amazon VPC endpoint

If you launched your Amazon EMR cluster within an Amazon Virtual Private Cloud (Amazon VPC), then use an Amazon S3 Amazon VPC endpoint to access the bucket. This allows traffic between Amazon S3 and Amazon VPC to remain within your network. For more information, see Create a gateway endpoint.

Check your PrivateLink configuration

If you use AWS PrivateLink to access the bucket from your Amazon EMR cluster, then make sure that you correctly configured PrivateLink. Also, make sure that you're using the required Amazon VPC endpoints and security group rules.

AWS OFFICIAL
AWS OFFICIALUpdated 3 months ago