Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Calling AWS Textract with aws_access_key_id & aws_secret_access_key throws "AccessDeniedException" error when hosted on Netfify or Vercel

0

Of course, the code works on my local development environment. But when hosted in the cloud, I get this error:

**AccessDeniedException: User: arn:aws:sts::650953327525:assumed-role/aws-lambda-execute/bb1f13f7ade41dcdc6e829bcb190797999bf7ed69e873b772ad3ab439c745868 is not authorized to perform: textract:AnalyzeID because no identity-based policy allows the textract:AnalyzeID action **

// JS Code Extract...

aws.config.update({
    aws_access_key_id: process.env.AWS_TEXTRACT_ACCESS_KEY_ID,
    aws_secret_access_key: process.env.AWS_TEXTRACT_SECRET_ACCESS_KEY
});

const textract = new aws.Textract({ 
    apiVersion: '2018-06-27',
    region: process.env.AWS_TEXTRACT_REGION
});

const analyzeIdentity = await textract.analyzeID(textractParams).promise()
    .catch((error) => {
        console.error('AnalyzeID Error: ', error);
        throw error;
    }
);

The IAM access keys I'm using have the following permissions... Enter image description here

Any idea what I'm missing or doing incorrectly?

Topics
Machine Learning & AISecurity, Identity, & Compliance
Tags
Amazon TextractIAM Policies
Language
English
asked 3 years ago599 views
2 Answers
0

It looks like you are using the access key but doing the Assume role.
Normally, the IAM user would be the executing user.
Is the AWS account listed in the ARN below the one you are using?
If correct, try setting the policy to the IAM role called aws-lambda-execute.

arn:aws:sts::650953327525:assumed-role/aws-lambda-execute/bb1f13f7ade41dcdc6e829bcb190797999bf7ed69e873b772ad3ab439c745868
EXPERT
answered 3 years ago
EXPERT
reviewed 3 years ago
0

I guess the problem is that when hosting the web app on Netlify or Vercel, they load any API methods defined in the web app into Lambda as a serverless function. This creates an issue that is not faced when running the web app on the local development environment.

  1. In any case, I create a new IAM Role "TextractorWebhook" with full permissions to Textract. Enter image description here

I also added a trust relationship in the role, for my IAM user "developer" to assume it: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::169693454259:user/developer" }, "Action": "sts:AssumeRole" } ] }

Unfortunately, that doesn't seem to solve the problem, as I am getting this error message: AccessDenied: User: arn:aws:sts::169693454259:assumed-role/TextractorWebhook/TextractWebhookSession is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::169693454259:role/TextractorWebhook

  1. I added a new inline policy to the user "developer" named "STSAssumeRolePolicy" to grant all "sts" actions { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "sts:*", "Resource": [ "arn:aws:iam::169693454259:role/TextractorWebhook" ] } ] }

But again, this has not resolved the problem. I get the same error message.

What else am I missing here?

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content