By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Creating JobOperation with SDK - Access Denied

0

I am trying to create a Job via the Java SDK (v2)

        S3ControlClient s3ControlClient = S3ControlClient.builder()
                .credentialsProvider(staticCredentialsProvider)
                .region(Region.EU_WEST_1)
                .build();
--- some code to build the operation ---

        CreateJobRequest jobRequest = CreateJobRequest.builder()
                .accountId(s3Properties.getId())
                .description("Duplication job created by ...")
                .manifest(jobManifest)
                .operation(copyJobOperation)
                .report(jobReport)
                .roleArn(jobStagingARNRole)
                .priority(10)
                .clientRequestToken(UUID.randomUUID().toString())
                .confirmationRequired(false)
                .build();
        s3ControlClient.createJob(jobRequest);

Based on this link https://docs.aws.amazon.com/AmazonS3/latest/userguide/batch-ops-iam-role-policies.html

The S3ControlClient (staging-user) has the following permissions:

iam:PassRole
sts:AssumeRole
s3:CreateJob

The jobStagingARNRole has the following permissions:

s3:CreateJob
sts:AssumeRole
iam:PassRole
s3: (PutObject, GetObject)

For testing purposes all permissions with "Resource": "*"

and the following Trust relationship

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "batchoperations.s3.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

But I do still get an AccessDenied error. What am I missing? Thank you

Topics
Java Development
Tags
Java Development
Language
English
beig
asked 10 months ago229 views
1 Answer
0

Hi, I'd strongly suggest you to insert a call to STS GetCallerIdentity just to ensure that you access API with the user / role that you believe to be using. Sometimes, you're under a different identity than you believe: it happened to me a couple of time...

This STS API verb is one of the very rare ones not requiring any credentials to succeed.

If the identity (user, role, etc.) is the one that you believe, then you can start checking the IAM authorizations. Yours seem correct.

Some code examples here: https://www.tabnine.com/code/java/methods/com.amazonaws.services.securitytoken.AWSSecurityTokenService/getCallerIdentity

To setup credentials, I usually use the credentials chain proposed by DefaultCredentialsProvider : see https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 10 months ago
  • beig
    10 months ago

    Hi, yes the getCallerIdentity gives me the staging-user I also looked at these examples https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/javav2/example_code/s3/src/main/java/com/example/s3/CreateJob.java#L50C22-L50C22 but I cant find any difference/whats wrong with my permissions

    Edit: Ah, I do get an error Assuming the job-role - what permissions am I missing? Edit2: Ok (https://repost.aws/knowledge-center/iam-assume-role-error) now my staging-user can assume the role but still I get an error creating the job

  • Didier_Durand EXPERT
    10 months ago

    Have a look at https://docs.aws.amazon.com/AmazonS3/latest/userguide/troubleshooting-batch-operations.html#access-denied : you probably have to add s3:GetObject to auths of staging-user

    If not enought, can you 1 by 1 one put action:* for iam, sts and s3 in the auths of staging-user to see in which area you're missing auths ? Then, when you located which one it is, you can start to tighten up again to go back to least privilege.

    It would be good if you share your stack trace on this error: it would help locating root cause.

  • beig
    10 months ago

    I did as you said. I also created a job using the role via the console - just to check if its works (it does)

    My next try would be to assume the role and somehow create an S3ControlClient with the role, but I am not sure if this is even possible (only python unfortunatly https://docs.aws.amazon.com/IAM/latest/UserGuide/example_sts_Scenario_AssumeRoleMfa_section.html)

    this is the stacktrace: https://pastebin.com/cnNuzWGB and it occurs on this line of code: s3ControlClient.createJob(jobRequest); thats the whole policy for the staging user { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:", "sts:", "iam:" ], "Resource": "" } ] }

  • beig
    10 months ago

    also using the roles credentials and creating the job doesnt work

    AssumeRoleResponse resp= stsClient.assumeRole(builder -> {
    builder.roleArn(job_role);
    builder.roleSessionName("test-session");
});

StaticCredentialsProvider creds = StaticCredentialsProvider.create(AwsSessionCredentials.create(resp.credentials().accessKeyId(), resp.credentials().secretAccessKey(), res.sessionToken()));

S3ControlClient s3ControlClient = S3ControlClient.builder()
        .credentialsProvider(creds)
        .region(Region.EU_WEST_1)
        .build();
  • Didier_Durand EXPERT
    10 months ago

    Maybe I was not clear but your actions should be with '' not just 's3:' but 's3:'. Some for others. I've never seen 's3:' to mean 's3:*'

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content