How to transcribe a call with AWS transcribe API ?

0

I got this error when I'm trying to transcribe a call:

Account isn't authorized to call this operation. Check your account perm

I think the bad property is DataAccessRoleArn, I tried to create new role on IAM console, but it does not work.

Here's the full PHP code:

<?php
require 'vendor/autoload.php';

use Aws\TranscribeService\TranscribeServiceClient;

$awsKey = "{awsKey}";
$awsSecretKey = "{awsSecretKey}";

$clientAWS = new TranscribeServiceClient([
    'region' => 'eu-west-3',
    'version' => 'latest',
    'credentials' => [
        'key' => $awsKey,
        'secret' => $awsSecretKey
    ],
]);

$result = $clientAWS->startCallAnalyticsJob([
    'CallAnalyticsJobName' => 'Transcript1', // REQUIRED
    'ChannelDefinitions' => [
        [
            'ChannelId' => 0,
            'ParticipantRole' => 'AGENT',
        ],
        [
            'ChannelId' => 1,
            'ParticipantRole' => 'CUSTOMER',
        ]
    ],
    'DataAccessRoleArn' => 'arn:aws:iam::{id}:role/AWSRole', // REQUIRED
    'Media' => [ // REQUIRED
        'MediaFileUri' => 's3://{bucketName}/2022/02/23/file.wav',
        'RedactedMediaFileUri' => 's3://{bucketName}/2022/02/23/',
    ],
    'Settings' => [
        'ContentRedaction' => [
            'RedactionOutput' => 'redacted', // REQUIRED
            'RedactionType' => 'PII', // REQUIRED
        ],
    ],
]);

print_r($result);

Do you know how to fix role issue?

Thank you in advance,

J.

asked 9 months ago220 views
2 Answers
0
Accepted Answer

For fixing this issue, you have to:

  • Select a region compatible (in my case eu-central-1)
  • Create a new role with AmazonS3FullAccess policy (just for testing, adjust for security) and this trust entity:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "transcribe.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

  • Attach AmazonTranscribeFullAccess and AmazonS3FullAccess policiy to your IAM user (just for testing, adjust for security)
answered 8 months ago
0

There are two pieces of permissions that you have to consider here.

  1. Your access key and secret key must have permissions to run the command startCallAnalyticsJob
  2. The analytics job must be able to access the data it needs using the role DataAccessRoleArn.

From the error message, it appears that (1) is the issue. Do the keys that are running this command have the permissions to run startCallAnalyticsJob on that specific job Transcript1? This would either be a role that your user has assumed, or your actual IAM user itself.

If that doesn't solve the problem, then you would want to make sure that the DataAccessRole has a trust relationship with Transcribe, such that transcribe is allowed to assume that role with access to the right objects in your S3 Bucket. Take a look at how to update the trust relationship for a role here . This guide also walks you through creating it if needed.

The role would look something like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "transcribe.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
answered 9 months ago
  • Thank you for your response. For testing I tried to attach this strategy to my user:

    { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:", "transcribe:" ], "Resource": "*" } ] }

    But I get the same error. Here's the role used by DataAccessRoleArn property:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "transcribe.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

    Thank you again.

  • Your policy is missing a tiny detail. In the Action section, it should read s3:* and transcribe:* (with the star). Can you give that a try and see if it works? And is the whole error message what you posted above?

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "VisualEditor0",
                "Effect": "Allow",
                "Action": 
                    "s3:*",
                    "transcribe:*"
                ,
                "Resource": "*"
            }
        ]
    }
    
  • I think, there was a bug when I pasted json, because the stars has been here.

    See: https://pastebin.com/fCP9wCFV

    Here's the full PHP error:

    Fatal error: Uncaught exception 'Aws\TranscribeService\Exception\TranscribeServiceException' with message 'Error executing "StartCallAnalyticsJob" on "https://transcribe.eu-west-3.amazonaws.com"; AWS HTTP error: Client error: POST https://transcribe.eu-west-3.amazonaws.com resulted in a 400 Bad Request response: {"__type":"BadRequestException","Message":"Your account isn't authorized to call this operation. Check your account perm (truncated...) BadRequestException (client): Your account isn't authorized to call this operation. Check your account permissions and try your request again. - {"__type":"BadRequestException","Message":"Your account isn't authorized to call this operation. Check your account permissions and try your request again."}' GuzzleHttp\Exception\ClientException: Client error: POST https://transcribe.eu-west-3.amazonaws.com resulted in a 400 Bad Request response: {"__type":"BadRequestException","Message":"Your account isn't authorized to call this operation. Check your account perm (truncated.. in /Users/J/PhpstormProjects/dev/vendor/aws/aws-sdk-php/src/WrappedHttpHandler.php on line 195

    Thank you so much

  • Hmm, I would recommend starting simple and trying out some other SDK calls first, such as s3 ls command, and then maybe some more basic transcribe commands to see if they get the same error message. Are you part of an AWS Organization? It's possible that you could be getting rejected due to service control policies (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html) that might limit your account from being able to use the transcribe service.

  • I tried with the CLI (with same access and secret keys) thoses commands:

    aws s3 ls s3://mybucketname

    It works.

    But with this command I get an error:

    aws transcribe start-call-analytics-job
    --call-analytics-job-name MfTranscript1
    --media MediaFileUri=s3://mybucketname/file.wav
    --data-access-role-arn "arn:aws:iam::{id}:role/AWSRoleTranscribe"
    --channel-definitions '[{"ChannelId": 0, "ParticipantRole": "AGENT"},{"ChannelId": 1, "ParticipantRole": "CUSTOMER"}]'

    An error occurred (BadRequestException) when calling the StartCallAnalyticsJob operation: Your account isn't authorized to call this operation. Check your account permissions and try your request again.

    I have no AWS Organization. But can I use the eu-west-3 (Paris) region? Thank you

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions