Error Kinesis cannot put logs to s3
Hi , I created data delivery stream and create IAM role by default as proposed by AWS but still I got error
"Access was denied. Ensure that the trust policy for the provided IAM role allows Firehose to assume the role, and the access policy allows access to the S3 bucket."
While the IAM role is defined by AWS auto,
what should I do now? If I need something to add what should I add, kindly need a brief help?
What do you mean by AWS auto?
You need to edit the Trust Relationship of the role and have something similar to this (note that your role might need to be assumed by other services, in this example, it's only Kinesis Firehose that can):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Principal": {
"Service": [
"firehose.amazonaws.com"
]
}
}
]
}
while during creating a data delivery stream in advance setting I select following section to creat role
"Permissions: Kinesis Data Firehose uses this IAM role for all the permissions that the delivery stream needs. To specify different roles for the different permissions, use the API or the CLI.
- Create or update IAM role KinesisFirehoseServiceRole-PUT-S3-ogbRM-eu-west-1-1652985862673
Creates a new role or updates an existing one and adds the required policies to it, and enables Kinesis Data Firehose to assume it. 2) Choose existing IAM role The role that you choose must have policies that include the permissions that Kinesis Data Firehose needs.
I select option one that is by default. Now can you let me know what should I do?
Is the bucket in the same account? If it's not you need a bucket policy that allows the IAM role assumed by Kinesis Firehose to access that bucket. If it is in the same account, make sure that there is not some condition in the bucket policy that prevents access to that IAM role.
Bucket is in the same account, I give kinesis full access role to buck for some time but still negative response
Can you confirm that the trust policy is like the one I posted in the previous question and that the bucket in the IAM policy? Does the bucket policy have any restriction?
@Tasio follwoing is my trust relation ship in IAM roles
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "firehose.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
I thinks its same as you shared... and I also give s3 full access to kinesis
Thanks @Tasio, I saw s3 in which in ACL bucket owner has read write while in front of s3 log delivery group I saw "-", is this an issue?
{ "Version": "2012-10-17", "Id": "AWSLogDeliveryWrite************", "Statement": [ { "Sid": "AWSLogDeliveryWrite", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:", "Condition": { "StringEquals": { "aws:SourceAccount": "**************", "s3:x-amz-acl": "bucket-owner-full-control" }, "ArnLike": { "aws:SourceArn": "arn:aws:logs:" } } }, { "Sid": "AWSLogDeliveryAclCheck", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3************", "Condition": { "StringEquals": { "aws:SourceAccount": "*************" }, "ArnLike": { "aws:SourceArn": "arn:aws********************" } } } ] }
Have a look to permissio attached to buck
Thanks for sharing, did you check whether the S3 bucket has some policy attached? Can you also share the other policies attached to the role? (hiding any sensitive info such as bucket name, account id, etc.)
Relevant questions
Verify permissions for the IAM role
asked 3 months agoSpecify Individual Instance In Trust Policy Of IAM Role
Accepted Answerasked 2 months agoPermission boundary on IAM role trust policy
asked 25 days agoRoot cannot view EB environments created by IAM
asked 2 years agoError Kinesis cannot put logs to s3
Accepted Answerasked 2 months agoKinesis Transformation Buffering from Data Stream
Accepted Answerasked a month agoCannot send WAF logs to Kinesis
asked a month agoProblem with Giving SES Permission to Publish to Kinesis Data Firehose Delivery Stream
asked 6 months agoShould I create IAM role to allow AWS service send events to my default bus
asked 2 years agoMultiple Kinesis Data Analytics apps to use the same Kinesis firehose delivery stream as source
Accepted Answerasked a year ago
while during creating a data delivery stream in advance setting I select following section to creat role
"Permissions: Kinesis Data Firehose uses this IAM role for all the permissions that the delivery stream needs. To specify different roles for the different permissions, use the API or the CLI.
Creates a new role or updates an existing one and adds the required policies to it, and enables Kinesis Data Firehose to assume it. 2) Choose existing IAM role The role that you choose must have policies that include the permissions that Kinesis Data Firehose needs.
I select option one that is by default. Now can you let me know what should I do?