Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Root User Is Denied Access While Creating Glue Crawler and IAM Glue ETL

0

Hello, I am a new AWS user, I've added my billing method as well. However, I keep getting issues with IAM policies while creating jobs around Glue Crawler and Glue ETL in connection with item in my own S3 buckets. I have been searching through questions and I found many users having the same problem but no one has a fine solution. Please help me resolve this! Regards, Dat

Topics
Security, Identity, & Compliance
Tags
IAM Policies
Language
English
asked a year ago399 views
3 Answers
0
Accepted Answer

Hi, You're not alone; this is a very common issue for new AWS accounts, especially when working with AWS Glue + IAM + S3. Even if you're the root user, AWS still applies service control boundaries and missing role trust issues that can block you.

Step 1: Do NOT use the root user for Glue AWS strongly recommends creating an Admin IAM user or role instead of using the root user. To fix this properly:

Go to the AWS Console → IAM → Users → Create user

Give that user AdministratorAccess policy.

Use that IAM user for all Glue setup and permissions work.

Step 2: Create a Glue Service Role Glue jobs and crawlers need to assume a service role with access to S3, logs, etc.

Create an IAM role with the Glue service principal:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "glue.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

Then attach these policies:

AmazonS3FullAccess (or scoped S3 access)

AWSGlueServiceRole

Important: Without the glue.amazonaws.com trust policy, Glue won’t be able to assume the role, even if you're root.

Step 3: Check S3 Bucket Permissions

Make sure your S3 bucket allows Glue access.

If your bucket has a restrictive bucket policy, you’ll need to allow access like this:

{ "Effect": "Allow", "Principal": { "Service": "glue.amazonaws.com" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::your-bucket-name/*" } Or better: rely on the IAM role's permissions and keep your bucket policy empty if possible. It avoids conflicts.

Step 4: Create the Crawler or Job Now, when creating the Glue Crawler or Job:

Select the IAM Role you created (not root or your user)

Point it to the S3 bucket path

For jobs, choose Spark or Python shell, and the same role

NOTE: If it still fails: Check IAM → Access Advisor and CloudTrail to see what action is denied.

Make sure your Glue role is in the same region as your Glue job.

answered a year ago
  • DatTienNguyen
    a year ago

    Many thanks for your instructions!

    I tried all of them but the problem persists...

    1. I created an admin IAM user with my own Account ID.
    2. I received this after creating AWSGlueServiceRole. I don;t know why it has the Source Account condition which also exists in Trust Relationships, but it still failed after I removed it. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::my-s3-bucket/*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "my-account-id" } } } ] }

    3-4. I also added the permissions for my S3 bucket and attached it to the Crawler.

    Checking the AccessAdvisor, I saw A limited Access Level of List and Read for IAM and Organizations Services with All Resources.

    Omg, this thing is about to drive me crazy...

0

I understand you're experiencing access denied issues while trying to create Glue Crawlers and Glue ETL jobs as a root user, despite having set up your billing method. This is a concerning situation that several AWS users have encountered.

First, it's important to note that using the root account for day-to-day operations, including creating Glue jobs and crawlers, is not recommended as a security best practice. Instead, it's advisable to create an IAM user or role with the necessary permissions for these tasks.

However, if you're encountering this issue as a root user, it could indicate a more significant problem with your AWS account. Here are a few steps you can take:

  1. Check if your AWS account is managed by AWS Organizations. If it is, there might be Service Control Policies (SCPs) in place that are denying Glue operations, even for the root user.

  2. Verify that you have the necessary permissions for both Glue operations and S3 access. The IAM role you're using should have policies like AWSGlueServiceRole and AmazonS3FullAccess attached.

  3. Try creating resources in different AWS regions to see if the issue persists across all regions.

  4. Review your AWS Glue and CloudTrail logs for any additional error messages or denial reasons that might provide more context.

If you've tried these steps and are still encountering issues, it's likely that there might be a problem at the account level. In this case, the best course of action is to open a case with AWS Support under the "Account and billing" category. This type of inquiry can be made free of charge, and AWS Support should be able to investigate any account-level restrictions or issues that might be preventing you from using Glue services.

Remember, if this is indeed an account-level problem, you may face similar issues with other AWS services as well. AWS Support will be best equipped to diagnose and resolve any underlying account issues.
Sources
I can't use root account to create Glue job or Glue Crawler | AWS re:Post
Account ************ is denied access while creating an aws glue crawler. I'm trying as a root account user. | AWS re:Post
Can't create a Glue Crawler (AccessDenied) | AWS re:Post
AWS GLUE account id - (14533334444 example id )access denied | AWS re:Post

answered a year ago
EXPERT
reviewed a year ago
0

Honestly, you’re really close. Glue + IAM + S3 can be super picky, especially the first time around.

Just a couple of things to double-check based on what you shared:

That aws:ResourceAccount condition you mentioned, it’s optional. It just ensures the bucket is in the same account. Since you're working within a single account, removing it is fine and shouldn’t break anything.

The trust relationship on your Glue role is critical. Even if your policies are perfect, if the trust policy doesn’t allow Glue to assume the role, it’ll silently fail. Just make sure it looks exactly like this: { "Effect": "Allow", "Principal": { "Service": "glue.amazonaws.com" }, "Action": "sts:AssumeRole" } What exact error are you seeing when you run the crawler? If it's something like AccessDeniedException or a failed role assumption, that points directly to either the trust policy or S3 bucket permissions.

If you’ve added a bucket policy, maybe try removing it temporarily — just rely on the IAM role alone. Sometimes bucket policies unintentionally block access, even when everything else is set up correctly.

You're clearly doing the right things; its probably one small piece left to fix.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content