Glue Crawler getting 403 from S3 because "ciphertext refers to a CMK that doesn't exist." (using SSE-S3, not KMS)

2

I'm getting the following error when I run a Glue Crawler on an S3 bucket:

ERROR : Not all read errors will be logged. com.amazonaws.services.s3.model.AmazonS3Exception: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access. (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied;

The S3 bucket has default "Amazon S3-managed keys (SSE-S3)" encryption enabled, not a CMK from KMS.

The Glue Crawler has an IAM role with the managed policy AWSGlueServiceRole and a policy that was created by the wizard:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>/*"
            ]
        }
    ]
}

This previous post also has a 403 and was solved by adding GetObject permissions to the specific bucket, which I already have.

I'm also not using a VPC endpoint, which is one of the possible problems listed on this AWS help article. And i do NOT have Requester Pays turned on. It's all in the same AWS account. The default private bucket settings are checked, and there's no bucket policy.

2 Answers
1
Accepted Answer

It turns out, the objects in the bucket were encrypted with a specific KMS key, even though the bucket settings were set to use an Amazon S3-managed key (SSE-S3). So the error message was correct.

When I exported from HealthLake to S3, it prompted me to create or provide a KMS key to encrypt the output data, so that overrode the bucket-wide encryption settings.

Once I updated the KMS key policy to allow the Glue Crawler's Role and I used a single-region instead of a multi-region KMS key, the error went away.

AWS
answered 2 years ago
0

Thank you Yann,

The section that states 'updated the KMS key policy to allow the Glue Crawler's Role' is what helped me.

I clicked on my KMS Key that I created for moving Healthlake data to S3 and added the IAM role I created for my Glue job (starts with AWSGlueServiceRole) to both 'Key administrators' and 'Key users.'

That did the trick!

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions