Thanks for your question.
The Lambda function's permissions govern what the Lambda function can do and the IAM role passed to S3 Batch Operations allows the feature to read your manifest, invoke Lambda, write the job report, etc.
What you'll need to create the job are the permissions for "s3:CreateJob and iam:PassRole." So within boto3 this will be based on your user identity when you make the CreateJob call.
Wrong forum sorry
Edited by: dsmirnov on May 23, 2019 12:20 PM
Hi Rob, thanks for your reply and your explanation. I do have iam:PassRole added to the user identity that the Lambda Function runs under.
However, for some reason, I do not see a CreateJob permission under S3 in my IAM when I look at the S3 permission. The only permission that comes up when I type "Create" in the search box is "CreateBucket". Is this permission present in the IAM console, or does it have to be added programmatically?
edit: to further clarify, since I posted the original message, I realized that I the CreateJob IS allowed with s3:* permissions enabled on both the user identity for the lambda function and the role that the S3 batch job runs under (there is apparently a short delay in the permissions change becoming consistent). However, when I did narrow back the permissions for production to be properly restrictive for production, I still get the access denied error. As noted by robwaws, the permissions needed for the lambda function that creates the S3 Batch Job are "s3:CreateJob and iam:PassRole", and so the question still is: where is the CreateJob permission located?
Edited by: James3732 on May 24, 2019 6:27 AM
Thanks for the update. We'll work to add more about CreateJob to our documentation and to include S3 Batch Operations API actions in the IAM visual editor. "s3:CreateJob" is the permission required to create the job and would be required by the user or Lambda function creating the job. The same entity would also need the "iam:PassRole" permission to pass the IAM role specified for the job to S3 Batch Operations.
Great, thank you. I added the CreateJob permissions manually in the json editor, and now the code can create the job via boto3.
Also, for the help of future readers: even after you add the CreateJob permission in the JSON editor, the console does show a warning hazard, with the text something like "IAM does not recognize one or more actions. The action name might include a typo or might be part of a previewed or custom service." I'm assuming this will disappear once AWS updates the IAM visual editor. Even though the warning shows up, the permission is applied.
Thanks again for your help, robwaws.
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Deniedasked 10 months ago
Unable to run/create glue job from root user & getting AccessDeniedExceptionAccepted Answerasked 4 months ago
Getting this error when i am trying to run a job from Glue Studio. Does someone know what needs to be done.iam policy has already full access to S3 bucketasked 6 months ago
How do I create a role for AWS Batch using the CLIasked 7 months ago
Insufficient privileges for accessing data in S3 when running a lambda function to create a Personalize dataset import jobAccepted Answerasked 5 months ago
What are the minimum permission needed to start an EC2 instanceasked 5 months ago
How do I obtain permission to execute "delete-suppressed-destination"?asked 3 years ago
What IAM Permissions are needed to do a CreateJob for S3 Batch?asked 4 years ago
What permissions configurations are required on an S3 bucket for Athena to be able to Preview View on an object?asked 8 months ago
How do I grant DescribeAvailabilityZones permission to an Admin?asked 7 months ago