- Newest
- Most votes
- Most comments
It turns out, the objects in the bucket were encrypted with a specific KMS key, even though the bucket settings were set to use an Amazon S3-managed key (SSE-S3). So the error message was correct.
When I exported from HealthLake to S3, it prompted me to create or provide a KMS key to encrypt the output data, so that overrode the bucket-wide encryption settings.
Once I updated the KMS key policy to allow the Glue Crawler's Role and I used a single-region instead of a multi-region KMS key, the error went away.
Thank you Yann,
The section that states 'updated the KMS key policy to allow the Glue Crawler's Role' is what helped me.
I clicked on my KMS Key that I created for moving Healthlake data to S3 and added the IAM role I created for my Glue job (starts with AWSGlueServiceRole) to both 'Key administrators' and 'Key users.'
That did the trick!
Relevant content
- How can I use a Lambda function to automatically start an AWS Glue job when a crawler run completes?AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago