What IAM Permissions are needed to do a CreateJob for S3 Batch?

0

I am getting this error, and I can't figure out what permission to enable to allow me to create the job.

"An error occurred (AccessDenied) when calling the CreateJob operation: Access Denied"

when I try to execute a create_job command with an s3control client in boto3, as part of a lambda function. (https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3control.html#S3Control.Client.create_job).

I'm trying to create a PUTCOPY job.

I have granted the lambda function full S3 access via the AWS managed S3 policy, and I have granted the role that the S3 batch job is supposed to run under inside the create_job function full S3 access via the AWS managed S3 policy.

Is there another permission I need to enable somewhere to allow CreateJob for S3 Batch?

asked 4 years ago645 views
5 Answers
0

Thanks for your question.

The Lambda function's permissions govern what the Lambda function can do and the IAM role passed to S3 Batch Operations allows the feature to read your manifest, invoke Lambda, write the job report, etc.

What you'll need to create the job are the permissions for "s3:CreateJob and iam:PassRole." So within boto3 this will be based on your user identity when you make the CreateJob call.

awsrwx
answered 4 years ago
0

Wrong forum sorry

Edited by: dsmirnov on May 23, 2019 12:20 PM

answered 4 years ago
0

Hi Rob, thanks for your reply and your explanation. I do have iam:PassRole added to the user identity that the Lambda Function runs under.

However, for some reason, I do not see a CreateJob permission under S3 in my IAM when I look at the S3 permission. The only permission that comes up when I type "Create" in the search box is "CreateBucket". Is this permission present in the IAM console, or does it have to be added programmatically?

Thank you!

edit: to further clarify, since I posted the original message, I realized that I the CreateJob IS allowed with s3:* permissions enabled on both the user identity for the lambda function and the role that the S3 batch job runs under (there is apparently a short delay in the permissions change becoming consistent). However, when I did narrow back the permissions for production to be properly restrictive for production, I still get the access denied error. As noted by robwaws, the permissions needed for the lambda function that creates the S3 Batch Job are "s3:CreateJob and iam:PassRole", and so the question still is: where is the CreateJob permission located?

Edited by: James3732 on May 24, 2019 6:27 AM

answered 4 years ago
0

Thanks for the update. We'll work to add more about CreateJob to our documentation and to include S3 Batch Operations API actions in the IAM visual editor. "s3:CreateJob" is the permission required to create the job and would be required by the user or Lambda function creating the job. The same entity would also need the "iam:PassRole" permission to pass the IAM role specified for the job to S3 Batch Operations.

awsrwx
answered 4 years ago
0

Great, thank you. I added the CreateJob permissions manually in the json editor, and now the code can create the job via boto3.

Also, for the help of future readers: even after you add the CreateJob permission in the JSON editor, the console does show a warning hazard, with the text something like "IAM does not recognize one or more actions. The action name might include a typo or might be part of a previewed or custom service." I'm assuming this will disappear once AWS updates the IAM visual editor. Even though the warning shows up, the permission is applied.

Thanks again for your help, robwaws.

answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions