- Newest
- Most votes
- Most comments
Hi, Assuming your crawler and s3 bucket are in the same region!
Your crawler attached role has some issues i believe.
The crawler attached role should contain with below custom policy and aws managed policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "AllowS3Actions", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::test-bucket-mis6389/evdata/*" ] } , { "Effect": "AllowKMSAction", "Action": [ "kms:Decrypt" ], "Resource": [ "<KMSKeyARN>" ] ] }
and aws managed policy: AWSGlueServiceRole
You have given s3 actions and KMS action in single statement but in resources section you have only mentioned s3 bucket ARN. You need to also specify KMS Decrypt action on particular KMS key. As a security best practise, i have segregated them into 2 separate statement blocks.
Also, make sure that if users belonging to other account, the KMS key trust policy should trust the other account.
You may also refer this for additional checks https://repost.aws/knowledge-center/s3-cross-account-access-denied
Hello,
Modify your bucket policy to explicitly grant access also to the evdata folder and its contents. arn:aws:s3:::test-bucket-mis6389/evdata/*
Would you able to check the CloudTrail logs? You can filter them by the resource and the name of the S3 bucket. This would provide us with detailed information about the API calls made to S3 and any associated error messages
Hi,
Are the AWS users belong to the same account or different account? If the bucket is owned by a different AWS account than the one where the crawler is running, you may need to update the bucket policy to grant cross-account access. Check also if there are any other policies attached to the IAM role or the AWS account that might be denying access to the S3 bucket.
Relevant content
- Accepted Answerasked 2 years ago
- asked 6 months ago
- asked 7 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 7 months ago
Are AWS users belong to same or different account?