- Newest
- Most votes
- Most comments
You'll need to add an IAM policy to grant the user access to S3. Unless a bucket is public, which is not recommended, you have to use IAM policies to grant access to it.
To unblock yourself, you could give the IAM user "AmazonSeReadOnlyAccess" but long term you'll want to create an IAM policy that only gives this user only access to the bucket and folder it needs to ensure you are following principle of least privileges.
Amazon Rekognition only supports both the Rekognition API endpoint and S3 being in the same region. See AWS integration in the FAQ for more details.
You could explore an implementation like described in the "Use Amazon Rekognition Stateless APIs in a different Region" section of this Improve scalability for Amazon Rekognition stateless APIs using multiple regions blog post if you have multi region requirements.
To grant access to an S3 bucket in a different region for your IAM user, you need to ensure that the IAM policies are configured correctly to allow access across regions. First, create a new IAM policy that allows the required permissions for accessing the S3 bucket in the "ap-southeast-2" region. You'll need to include permissions for both reading from and writing to the S3 bucket, depending on your use case. Here's a basic example policy allowing read access to all objects in a specific bucket: ======sample iam policy====== { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject, "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*", "Condition": { "StringEquals": { "aws:SourceRegion": "ap-northeast-1" } } } ] }
Replace YOUR_BUCKET_NAME with the name of your S3 bucket.
Then Attach the newly created policy to your IAM user. For the cross region access, Your IAM user need permissions to access resources across regions. You can do this by using the "sts:AssumeRole" action in your IAM policy.
Here is a sample trust relationship policy granting permission to assume a role in another region: ======sample trust relationship policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::ACCOUNT_ID:role/CrossRegionRoleName", "Condition": { "StringEquals": { "aws:RequestedRegion": "ap-southeast-2" } } } ] }
Replace ACCOUNT_ID with your AWS account ID and CrossAccountRoleName with the name of the IAM role you want to assume in the target region. Once you've attached the policy to your IAM user, try accessing the S3 bucket in the "ap-southeast-2" region again. You should now have the permissions to perform the desired actions.
Relevant content
- asked 3 years ago
- asked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago