What IAM Permissions are needed to do a CreateJob for S3 Batch?

0

I am getting this error, and I can't figure out what permission to enable to allow me to create the job.

"An error occurred (AccessDenied) when calling the CreateJob operation: Access Denied"

when I try to execute a create_job command with an s3control client in boto3, as part of a lambda function. (https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3control.html#S3Control.Client.create_job).

I'm trying to create a PUTCOPY job.

I have granted the lambda function full S3 access via the AWS managed S3 policy, and I have granted the role that the S3 batch job is supposed to run under inside the create_job function full S3 access via the AWS managed S3 policy.

Is there another permission I need to enable somewhere to allow CreateJob for S3 Batch?

질문됨 5년 전2772회 조회
5개 답변
0

Thanks for your question.

The Lambda function's permissions govern what the Lambda function can do and the IAM role passed to S3 Batch Operations allows the feature to read your manifest, invoke Lambda, write the job report, etc.

What you'll need to create the job are the permissions for "s3:CreateJob and iam:PassRole." So within boto3 this will be based on your user identity when you make the CreateJob call.

AWS
awsrwx
답변함 5년 전
0

Wrong forum sorry

Edited by: dsmirnov on May 23, 2019 12:20 PM

답변함 5년 전
0

Hi Rob, thanks for your reply and your explanation. I do have iam:PassRole added to the user identity that the Lambda Function runs under.

However, for some reason, I do not see a CreateJob permission under S3 in my IAM when I look at the S3 permission. The only permission that comes up when I type "Create" in the search box is "CreateBucket". Is this permission present in the IAM console, or does it have to be added programmatically?

Thank you!

edit: to further clarify, since I posted the original message, I realized that I the CreateJob IS allowed with s3:* permissions enabled on both the user identity for the lambda function and the role that the S3 batch job runs under (there is apparently a short delay in the permissions change becoming consistent). However, when I did narrow back the permissions for production to be properly restrictive for production, I still get the access denied error. As noted by robwaws, the permissions needed for the lambda function that creates the S3 Batch Job are "s3:CreateJob and iam:PassRole", and so the question still is: where is the CreateJob permission located?

Edited by: James3732 on May 24, 2019 6:27 AM

답변함 5년 전
0

Thanks for the update. We'll work to add more about CreateJob to our documentation and to include S3 Batch Operations API actions in the IAM visual editor. "s3:CreateJob" is the permission required to create the job and would be required by the user or Lambda function creating the job. The same entity would also need the "iam:PassRole" permission to pass the IAM role specified for the job to S3 Batch Operations.

AWS
awsrwx
답변함 5년 전
0

Great, thank you. I added the CreateJob permissions manually in the json editor, and now the code can create the job via boto3.

Also, for the help of future readers: even after you add the CreateJob permission in the JSON editor, the console does show a warning hazard, with the text something like "IAM does not recognize one or more actions. The action name might include a typo or might be part of a previewed or custom service." I'm assuming this will disappear once AWS updates the IAM visual editor. Even though the warning shows up, the permission is applied.

Thanks again for your help, robwaws.

답변함 5년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠