- Newest
- Most votes
- Most comments
What do you mean by AWS auto?
You need to edit the Trust Relationship of the role and have something similar to this (note that your role might need to be assumed by other services, in this example, it's only Kinesis Firehose that can):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Principal": {
"Service": [
"firehose.amazonaws.com"
]
}
}
]
}
Is the bucket in the same account? If it's not you need a bucket policy that allows the IAM role assumed by Kinesis Firehose to access that bucket. If it is in the same account, make sure that there is not some condition in the bucket policy that prevents access to that IAM role.
Bucket is in the same account, I give kinesis full access role to buck for some time but still negative response
Can you confirm that the trust policy is like the one I posted in the previous question and that the bucket in the IAM policy? Does the bucket policy have any restriction?
@Tasio follwoing is my trust relation ship in IAM roles
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "firehose.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
I thinks its same as you shared... and I also give s3 full access to kinesis
Thanks @Tasio, I saw s3 in which in ACL bucket owner has read write while in front of s3 log delivery group I saw "-", is this an issue?
{ "Version": "2012-10-17", "Id": "AWSLogDeliveryWrite************", "Statement": [ { "Sid": "AWSLogDeliveryWrite", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:", "Condition": { "StringEquals": { "aws:SourceAccount": "**************", "s3:x-amz-acl": "bucket-owner-full-control" }, "ArnLike": { "aws:SourceArn": "arn:aws:logs:" } } }, { "Sid": "AWSLogDeliveryAclCheck", "Effect": "Allow", "Principal": { "Service": "delivery.logs.amazonaws.com" }, "Action": "s3:GetBucketAcl", "Resource": "arn:aws:s3************", "Condition": { "StringEquals": { "aws:SourceAccount": "*************" }, "ArnLike": { "aws:SourceArn": "arn:aws********************" } } } ] }
Have a look to permissio attached to buck
Thanks for sharing, did you check whether the S3 bucket has some policy attached? Can you also share the other policies attached to the role? (hiding any sensitive info such as bucket name, account id, etc.)
Grant Kinesis Data Firehose Access to an Amazon S3 Destination : Use the following access policy to enable Kinesis Data Firehose to access your S3 bucket and AWS KMS key: https://docs.aws.amazon.com/firehose/latest/dev/controlling-access.html#using-iam-s3
look like, didn't grant Kinesis Data Firehose access to the KMS key https://repost.aws/knowledge-center/kinesis-data-firehose-s3-access-error
Relevant content
- Accepted Answerasked a year ago
AWS OFFICIALUpdated 18 days ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
while during creating a data delivery stream in advance setting I select following section to creat role
"Permissions: Kinesis Data Firehose uses this IAM role for all the permissions that the delivery stream needs. To specify different roles for the different permissions, use the API or the CLI.
I select option one that is by default. Now can you let me know what should I do?
while during creating a data delivery stream in advance setting I select following section to creat role
"Permissions: Kinesis Data Firehose uses this IAM role for all the permissions that the delivery stream needs. To specify different roles for the different permissions, use the API or the CLI.
I select option one that is by default. Now can you let me know what should I do?