By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Access Denied for Data Analysis and Visualization in AWS Workshop

0

I am closely following the Data Analysis and Visualization in AWS wokrshop. Once I create a job in Glue Databrew and select the role that we set up with the permission given by the workshop, I get this error:

Access denied to s3:ListBucket for arn:aws:iam::311516367207:role/AWSGlueDataBrewServiceRole-data-analyst for location s3://my-bucket-311516367207/data-analysis-lab/. Error: Access Denied

Howver, when I run the permission simulator from my admin account, it says that the user does have permission to list bucket. I even redid the entire workshop from the beginning, and it still marks this error.

Topics
AnalyticsSecurity, Identity, & Compliance
Tags
AWS Glue DataBrewIAM PoliciesAWS Workshop Studio
Language
English
Jessica Donley
asked 3 months ago134 views
1 Answer
0

Ensure that the IAM role AWSGlueDataBrewServiceRole-data-analyst has trust relationships with the Glue service. Here's a sample trust policy assuming Glue is the service requiring access:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "glue.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Update the IAM policy attached to the role AWSGlueDataBrewServiceRole-data-analyst to allow the necessary S3 actions (s3:ListBucket, s3:GetObject, etc.) on the specific bucket (s3://my-bucket-311516367207/data-analysis-lab/). Here's a sample IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket-311516367207/data-analysis-lab",
        "arn:aws:s3:::my-bucket-311516367207/data-analysis-lab/*"
      ]
    }
  ]
}

(Optional): Ensure that the S3 bucket (my-bucket-311516367207) has a policy allowing the necessary actions for the IAM role. Here's a sample bucket policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::311516367207:role/AWSGlueDataBrewServiceRole-data-analyst"
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket-311516367207/data-analysis-lab/",
        "arn:aws:s3:::my-bucket-311516367207/data-analysis-lab/*"
      ]
    }
  ]
}
profile picture
EXPERT
Osvaldo Marte
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content