What IAM Permissions are needed to do a CreateJob for S3 Batch?

Thanks for your question.

The Lambda function's permissions govern what the Lambda function can do and the IAM role passed to S3 Batch Operations allows the feature to read your manifest, invoke Lambda, write the job report, etc.

What you'll need to create the job are the permissions for "s3:CreateJob and iam:PassRole." So within boto3 this will be based on your user identity when you make the CreateJob call.

Wrong forum sorry

Edited by: dsmirnov on May 23, 2019 12:20 PM

Hi Rob, thanks for your reply and your explanation. I do have iam:PassRole added to the user identity that the Lambda Function runs under.

However, for some reason, I do not see a CreateJob permission under S3 in my IAM when I look at the S3 permission. The only permission that comes up when I type "Create" in the search box is "CreateBucket". Is this permission present in the IAM console, or does it have to be added programmatically?

Thank you!

edit: to further clarify, since I posted the original message, I realized that I the CreateJob IS allowed with s3:* permissions enabled on both the user identity for the lambda function and the role that the S3 batch job runs under (there is apparently a short delay in the permissions change becoming consistent). However, when I did narrow back the permissions for production to be properly restrictive for production, I still get the access denied error. As noted by robwaws, the permissions needed for the lambda function that creates the S3 Batch Job are "s3:CreateJob and iam:PassRole", and so the question still is: where is the CreateJob permission located?

Edited by: James3732 on May 24, 2019 6:27 AM

Thanks for the update. We'll work to add more about CreateJob to our documentation and to include S3 Batch Operations API actions in the IAM visual editor. "s3:CreateJob" is the permission required to create the job and would be required by the user or Lambda function creating the job. The same entity would also need the "iam:PassRole" permission to pass the IAM role specified for the job to S3 Batch Operations.

Great, thank you. I added the CreateJob permissions manually in the json editor, and now the code can create the job via boto3.

Also, for the help of future readers: even after you add the CreateJob permission in the JSON editor, the console does show a warning hazard, with the text something like "IAM does not recognize one or more actions. The action name might include a typo or might be part of a previewed or custom service." I'm assuming this will disappear once AWS updates the IAM visual editor. Even though the warning shows up, the permission is applied.

Thanks again for your help, robwaws.