1 Answer
- Newest
- Most votes
- Most comments
0
It suggests a permission issue. I would consider troubleshooting it with the following steps:
- Ensure that the S3 bucket policy in Account A grants the necessary permissions to the role in Account B that the Glue Crawler is using. The S3 bucket policy should explicitly allow the actions (s3:GetObject, s3:ListBucket, etc.). Here's an example of what the policy might look like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Account-B-ID>:role/<Glue-Role-Name>"
},
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<bucket-name>",
"arn:aws:s3:::<bucket-name>/*"
]
}
]
}
- Verify that the IAM role assigned to the Glue Crawler in Account B has the necessary permissions. The custom policy you've attached seems appropriate, but double-check that it covers all required actions and resources.
- Even though you've disabled SCP for the organization, ensure that there are no other SCPs or permission boundaries that might be restricting access.
- If your S3 bucket or Glue Crawler is in a VPC, ensure that the networking setup (like VPC endpoints for S3) does not restrict access.
- Check CloudTrail in both accounts for any additional information about the access denial.
Let me know if you have any further questions to discuss. Best regards,
Mina
edit: removed email address: Zack M
Relevant content
- asked 7 months ago
- asked 7 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated a year ago