- Newest
- Most votes
- Most comments
Hello,
This access denied exception in cross region bucket would be any one or more than one of the following reasons[1],
- The user's IAM policy doesn't grant access to the bucket.
- The object is encrypted by AWS Key Management Service (AWS KMS), and the user doesn't have access to the KMS key.
- A deny statement in the bucket policy or IAM policy is blocking the user's access.
- The Amazon Virtual Private Cloud (Amazon VPC) endpoint policy is blocking access to the bucket.
- The AWS Organizations service control policy is blocking access to the bucket.
- The object doesn't belong to the AWS account that owns the bucket.
- Requester Pays is enabled on the bucket.
I would like to advice to look into IAM policy for your s3 bucket and check whether you have provided access to the account that you had your EMR cluster created in [2] [3].
{
"AuthorizationConfiguration": {
"EmrFsConfiguration": {
"RoleMappings": [
{
"Role": "arn:aws:iam::DestinationAcctID:role/role_in_destination_account",
"IdentifierType": "Prefix",
"Identifiers": [
"s3://doc-example-bucket/"
]
}
]
}
}
}
Note that instead of removing suffix /*, you may add another line as below [4] because it would grant access to your s3 bucket and objects within your s3 bucket:
"s3://doc-example-bucket/",
"s3://doc-example-bucket/*"
To check if your account has access to the s3 bucket same region or cross-region, you can simply run $aws s3 ls s3://<bucket>/ on AWS CLI.
[1]https://aws.amazon.com/premiumsupport/knowledge-center/s3-cross-account-access-denied/
[2]https://aws.amazon.com/premiumsupport/knowledge-center/emrfs-cross-account-access/
[3]https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/
Relevant content
- asked a year ago
- asked 8 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
