By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Organization's account access AWS S3 through Glue Crawler (Error: Account *** denied access)

0

Hi, I was trying to implement a system on AWS. The system has one account A (not root) in an organization.

Problem: Account A has an S3 bucket and I need to create a Glue Crawler to read S3 data.

Encountered error: Glue Crawler refused to be created due to the error "Account *** denied access" on Account B.

Attemp: I have already disabled SCP for the organization. Glue's role was attached with these policies: "AWSGlueConsoleFullAccess", "AWSGlueServiceRole" and this custom one:

{
            "Effect": "Allow",
            "Action": [
                "s3:*Object",
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>/*"
            ]
        }

Glue's role has already allow trust relation with glue to assumerole as well:

{
            "Effect": "Allow",
            "Principal": {
                "Service": "glue.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }

If anyone has been through this scenario or has encountered the same issue, please help me with this. Thanks for the help.

Topics
StorageAnalyticsSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS GlueAWS IAM Identity CenterAmazon S3 Access Grants
Language
English
KLaHD
asked 4 months ago278 views
1 Answer
0

It suggests a permission issue. I would consider troubleshooting it with the following steps:

  • Ensure that the S3 bucket policy in Account A grants the necessary permissions to the role in Account B that the Glue Crawler is using. The S3 bucket policy should explicitly allow the actions (s3:GetObject, s3:ListBucket, etc.). Here's an example of what the policy might look like:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<Account-B-ID>:role/<Glue-Role-Name>"
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>",
                "arn:aws:s3:::<bucket-name>/*"
            ]
        }
    ]
}
  • Verify that the IAM role assigned to the Glue Crawler in Account B has the necessary permissions. The custom policy you've attached seems appropriate, but double-check that it covers all required actions and resources.
  • Even though you've disabled SCP for the organization, ensure that there are no other SCPs or permission boundaries that might be restricting access.
  • If your S3 bucket or Glue Crawler is in a VPC, ensure that the networking setup (like VPC endpoints for S3) does not restrict access.
  • Check CloudTrail in both accounts for any additional information about the access denial.

Let me know if you have any further questions to discuss. Best regards,

Mina

edit: removed email address: Zack M

profile picture
EXPERT
Mina Gobrial - OptimeCloud
answered 4 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content