What IAM Permissions are needed to do a CreateJob for S3 Batch?

0

I am getting this error, and I can't figure out what permission to enable to allow me to create the job.

"An error occurred (AccessDenied) when calling the CreateJob operation: Access Denied"

when I try to execute a create_job command with an s3control client in boto3, as part of a lambda function. (https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3control.html#S3Control.Client.create_job).

I'm trying to create a PUTCOPY job.

I have granted the lambda function full S3 access via the AWS managed S3 policy, and I have granted the role that the S3 batch job is supposed to run under inside the create_job function full S3 access via the AWS managed S3 policy.

Is there another permission I need to enable somewhere to allow CreateJob for S3 Batch?

已提問 5 年前檢視次數 2770 次
5 個答案
0

Thanks for your question.

The Lambda function's permissions govern what the Lambda function can do and the IAM role passed to S3 Batch Operations allows the feature to read your manifest, invoke Lambda, write the job report, etc.

What you'll need to create the job are the permissions for "s3:CreateJob and iam:PassRole." So within boto3 this will be based on your user identity when you make the CreateJob call.

AWS
awsrwx
已回答 5 年前
0

Wrong forum sorry

Edited by: dsmirnov on May 23, 2019 12:20 PM

已回答 5 年前
0

Hi Rob, thanks for your reply and your explanation. I do have iam:PassRole added to the user identity that the Lambda Function runs under.

However, for some reason, I do not see a CreateJob permission under S3 in my IAM when I look at the S3 permission. The only permission that comes up when I type "Create" in the search box is "CreateBucket". Is this permission present in the IAM console, or does it have to be added programmatically?

Thank you!

edit: to further clarify, since I posted the original message, I realized that I the CreateJob IS allowed with s3:* permissions enabled on both the user identity for the lambda function and the role that the S3 batch job runs under (there is apparently a short delay in the permissions change becoming consistent). However, when I did narrow back the permissions for production to be properly restrictive for production, I still get the access denied error. As noted by robwaws, the permissions needed for the lambda function that creates the S3 Batch Job are "s3:CreateJob and iam:PassRole", and so the question still is: where is the CreateJob permission located?

Edited by: James3732 on May 24, 2019 6:27 AM

已回答 5 年前
0

Thanks for the update. We'll work to add more about CreateJob to our documentation and to include S3 Batch Operations API actions in the IAM visual editor. "s3:CreateJob" is the permission required to create the job and would be required by the user or Lambda function creating the job. The same entity would also need the "iam:PassRole" permission to pass the IAM role specified for the job to S3 Batch Operations.

AWS
awsrwx
已回答 5 年前
0

Great, thank you. I added the CreateJob permissions manually in the json editor, and now the code can create the job via boto3.

Also, for the help of future readers: even after you add the CreateJob permission in the JSON editor, the console does show a warning hazard, with the text something like "IAM does not recognize one or more actions. The action name might include a typo or might be part of a previewed or custom service." I'm assuming this will disappear once AWS updates the IAM visual editor. Even though the warning shows up, the permission is applied.

Thanks again for your help, robwaws.

已回答 5 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南