1 Answer
- Newest
- Most votes
- Most comments
0
Hello,
Please note that assume role may not work for glue crawler case. In order to ensure you are able to crawler external s3 bucket as a data source you need to ensure the below:
- Crawler role in Account A should have access to Account B s3 bucket(Get*, List*)
- Account B s3 bucket must allow required permissions(Get, List etc) to account A crawler role in it's bucket policy.
- Account B s3 bucket must not be using SSE-KMS(aws/s3) key, if bucket is encrypted with aws/s3 AWS Managed KMS key then cross account s3 access won't work
- If Account B s3 bucket is SSE-KMS CMK(custom key) encrypted then, KMS key policy in Account B must allow Account A glue crawler role.
Please check on all the above permissions in order to resolve the issue. You can also refer to below repost link as well: https://repost.aws/questions/QU_8lhusbHSLOg9CE7U30W7w/cross-account-s3-bucket-access-in-aws-glue-crawler
Hi, Thank you for your response. Should the crawler have the trust relationship that I have copied, or should they be in the crawlers permissions (i.e have access to account B). Right now, the layout of my crawlers' IAM role is:
- trust relationship (above)
- customer inline policy { "Version": "2012-10-17", "Statement": [ { "Sid": "CID", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<client_arn>:role/<client-made-role>" } ] }
- customer managed policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": [ "arn:aws:s3:::<clinet-bucket-name>/*" ] } ] }
Does this seem correct?
Relevant content
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 4 months ago
Can you share the permissions your IAM role has? Also, is there a bucket policy / ACL enforced on the bucket?