Glue ETL job for Parquet data located on s3 bucket enabled with requester pays

You’re absolutely correct that when a bucket’s policy delegates access control to an S3 Access Point, you generally shouldn’t need to attach explicit bucket-level permissions for the consuming accounts. In theory, the access point policy should act as the single source of truth. However, in practice, AWS Glue’s runtime behavior for requester pays access via access points isn’t fully consistent with that model yet.

When Glue launches an ETL job, it internally initializes multiple Spark executors that interact directly with S3 using the Hadoop S3A client. The challenge is that Glue’s underlying S3 client doesn’t always resolve the delegated access point policy correctly during the requester pays handshake. Instead, it still attempts to verify permissions on the underlying bucket resource ARN, even when the bucket policy explicitly delegates control to the access point. This is why you’re seeing the 403 AccessDenied response despite correct access point configuration.

Here are a few approaches that have worked in similar cross-account setups:

Add explicit bucket-level read permissions to the Glue job role even if delegation is configured. This doesn’t violate the access point model but compensates for the current behavior of the Glue runtime’s S3 client. Use a scoped statement limited to the specific bucket ARN and restrict to GetObject, GetObjectVersion, and ListBucket.

Confirm the Glue job role has permission to call s3:GetAccessPoint and s3:GetAccessPointPolicy. These permissions are sometimes overlooked but are required when Glue needs to resolve access point aliases during initialization.

Verify the URI structure. The Hadoop client expects the access point alias or full ARN in the format:

s3://<access-point-name>-<account-id>.s3-accesspoint.<region>.amazonaws.com/<prefix>/

Using only s3://accesspoint/[accessPointName]/ can sometimes fail resolution inside Glue depending on the SDK version.

Ensure the requester pays header is applied globally. Set both:

spark._jsc.hadoopConfiguration().set("fs.s3.useRequesterPaysHeader", "true") spark._jsc.hadoopConfiguration().set("fs.s3a.requester.pays", "true")

The second property is used by the newer S3A client, and both may be needed depending on the Glue version.

If you’re running Glue 4.0 or earlier, the internal SDK for S3 access points doesn’t fully handle cross-account requester pays buckets. Upgrading to Glue 5.0, which uses a newer AWS SDK for Java, improves consistency with access points and requester pays headers.

In the long term, AWS is expected to harmonize Glue’s S3 client behavior with the same model used in Athena and EMR, where the access point delegation is respected transparently. For now, the safest path is to explicitly grant read access on the bucket to the Glue job role, even if that seems redundant.

For reference, check:

Using S3 access points with AWS Glue : https://docs.aws.amazon.com/glue/latest/dg/aws-glue-programming-etl-connect-s3.html

Requester Pays buckets in Amazon S3 : https://docs.aws.amazon.com/AmazonS3/latest/userguide/RequesterPaysBuckets.html

AWS Glue job properties for Spark and Hadoop : https://docs.aws.amazon.com/glue/latest/dg/aws-glue-programming-etl-glue-arguments.html

It’s a nuanced setup, and your observation about access point delegation is absolutely right. This looks more like a client behavior gap than a permissions misconfiguration