AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관

Access Denied Exception while accessing Cross Region S3 bucket from EMR.

1

I am using EMR 6.13.0(EMR on EC2) and it is present in eu-central-1 region. i have my s3 buckets in eu-central-1 and eu-west-1 region, i can be able to access the s3 buckets present in eu-central-1 but not in eu-west-1. I am getting the error as "An error occurred while calling o4562.save.\n: java.nio.file.AccessDeniedException: s3a://mybucket/path/path2: getFileStatus on s3a://mybucket/path/path2: com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; " Kindly help me to resolve the issue.

1개 답변
3

Hello,

This access denied exception in cross region bucket would be any one or more than one of the following reasons[1],

  • The user's IAM policy doesn't grant access to the bucket.
  • The object is encrypted by AWS Key Management Service (AWS KMS), and the user doesn't have access to the KMS key.
  • A deny statement in the bucket policy or IAM policy is blocking the user's access.
  • The Amazon Virtual Private Cloud (Amazon VPC) endpoint policy is blocking access to the bucket.
  • The AWS Organizations service control policy is blocking access to the bucket.
  • The object doesn't belong to the AWS account that owns the bucket.
  • Requester Pays is enabled on the bucket.

I would like to advice to look into IAM policy for your s3 bucket and check whether you have provided access to the account that you had your EMR cluster created in [2] [3].

{
  "AuthorizationConfiguration": {
    "EmrFsConfiguration": {
      "RoleMappings": [
        {
          "Role": "arn:aws:iam::DestinationAcctID:role/role_in_destination_account",
          "IdentifierType": "Prefix",
          "Identifiers": [
            "s3://doc-example-bucket/"
          ]
        }
      ]
    }
  }
}

Note that instead of removing suffix /*, you may add another line as below [4] because it would grant access to your s3 bucket and objects within your s3 bucket:

"s3://doc-example-bucket/",
"s3://doc-example-bucket/*"

To check if your account has access to the s3 bucket same region or cross-region, you can simply run $aws s3 ls s3://<bucket>/ on AWS CLI.

[1]https://aws.amazon.com/premiumsupport/knowledge-center/s3-cross-account-access-denied/

[2]https://aws.amazon.com/premiumsupport/knowledge-center/emrfs-cross-account-access/

[3]https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/

[4]https://stackoverflow.com/questions/51442105/cross-account-role-granting-s3-bucket-access-permission-denied

profile pictureAWS
지원 엔지니어
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인