By using AWS re:Post, you agree to the Terms of Use
/Error Kinesis cannot put logs to s3/

Error Kinesis cannot put logs to s3

0

Hi , I created data delivery stream and create IAM role by default as proposed by AWS but still I got error

"Access was denied. Ensure that the trust policy for the provided IAM role allows Firehose to assume the role, and the access policy allows access to the S3 bucket."

While the IAM role is defined by AWS auto,

what should I do now? If I need something to add what should I add, kindly need a brief help?

2 Answers
0
Accepted Answer

What do you mean by AWS auto?

You need to edit the Trust Relationship of the role and have something similar to this (note that your role might need to be assumed by other services, in this example, it's only Kinesis Firehose that can):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Principal": {
                "Service": [
                    "firehose.amazonaws.com"
                ]
            }
        }
    ]
}
EXPERT
answered 2 months ago
  • while during creating a data delivery stream in advance setting I select following section to creat role

    "Permissions: Kinesis Data Firehose uses this IAM role for all the permissions that the delivery stream needs. To specify different roles for the different permissions, use the API or the CLI.

    1. Create or update IAM role KinesisFirehoseServiceRole-PUT-S3-ogbRM-eu-west-1-1652985862673

    Creates a new role or updates an existing one and adds the required policies to it, and enables Kinesis Data Firehose to assume it. 2) Choose existing IAM role The role that you choose must have policies that include the permissions that Kinesis Data Firehose needs.

    I select option one that is by default. Now can you let me know what should I do?

  • while during creating a data delivery stream in advance setting I select following section to creat role

    "Permissions: Kinesis Data Firehose uses this IAM role for all the permissions that the delivery stream needs. To specify different roles for the different permissions, use the API or the CLI.

    1. Create or update IAM role KinesisFirehoseServiceRole-PUT-S3-ogbRM-eu-west-1-1652985862673

    Creates a new role or updates an existing one and adds the required policies to it, and enables Kinesis Data Firehose to assume it. 2) Choose existing IAM role The role that you choose must have policies that include the permissions that Kinesis Data Firehose needs.

    I select option one that is by default. Now can you let me know what should I do?

0

Is the bucket in the same account? If it's not you need a bucket policy that allows the IAM role assumed by Kinesis Firehose to access that bucket. If it is in the same account, make sure that there is not some condition in the bucket policy that prevents access to that IAM role.

EXPERT
answered a month ago
  • Bucket is in the same account, I give kinesis full access role to buck for some time but still negative response

  • Can you confirm that the trust policy is like the one I posted in the previous question and that the bucket in the IAM policy? Does the bucket policy have any restriction?

  • @Tasio follwoing is my trust relation ship in IAM roles

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "firehose.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }

    I thinks its same as you shared... and I also give s3 full access to kinesis

  • Thanks @Tasio, I saw s3 in which in ACL bucket owner has read write while in front of s3 log delivery group I saw "-", is this an issue?

    { "Version": "2012-10-17", "Id": "AWSLogDeliveryWrite************", "Statement": [ { "Sid": "AWSLogDeliveryWrite", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:", "Condition": { "StringEquals": { "aws:SourceAccount": "**************", "s3:x-amz-acl": "bucket-owner-full-control" }, "ArnLike": { "aws:SourceArn": "arn:aws:logs:" } } }, { "Sid": "AWSLogDeliveryAclCheck", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3************", "Condition": { "StringEquals": { "aws:SourceAccount": "*************" }, "ArnLike": { "aws:SourceArn": "arn:aws********************" } } } ] }

    Have a look to permissio attached to buck

  • Thanks for sharing, did you check whether the S3 bucket has some policy attached? Can you also share the other policies attached to the role? (hiding any sensitive info such as bucket name, account id, etc.)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions