使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Glue Role got S3 Access Denied when writing to underlying S3 data in Lake Formation

0

Hello, I have an ETL workflow and keep getting S3 Access Denied when the Glue Role write a data frame to a destination S3 bucket (registered in Lake Formation). Here is my current setup. Does Lake Formation vend credentials to the Glue Role for writing permission to S3? How to let the Glue Role write to S3 via Lake Formation?

  • Registered a S3 bucket to Lake Formation
  • Grant Data Location to the Glue Role
  • Grant Lake Formation Permissions (ALL) to the Glue Role
  • Attach AWSGlueServiceRole policy to the Glue Role
  • Attach an inline policy below to the Glue Role
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "iam:GetRole",
                "iam:PassRole",
                "lakeformation:GetDataAccess",
                "lakeformation:GrantPermissions"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::amazon-reviews-pds",
                "arn:aws:s3:::amazon-reviews-pds/*"
            ],
            "Effect": "Allow"
        }
    ]
}
主題
分析
標籤
AWS GlueAWS Lake Formation
語言
English
hai
已提問 1 年前檢視次數 582 次
2 個答案
0
已接受的答案

Eventually, I found out that I use incorrect writing method in this case

  • Correct method: glueContext.write_dynamic_frame.from_catalog
  • Incorrect method: glueContext.write_dynamic_frame.from_option

Quoted from docs

Writes a DynamicFrame using the specified catalog database and table name.

docs

hai
已回答 1 年前
0

Once you register a location to be managed by LakeFormation, you should not use s3 permissions to handle it since it.
Now any client API trying to access that table needs to be LakeFormation away in order to be able to use the delegated access permissions, for instance DynamicFrame is able write into such table but not if you write directly to s3 or you use DataFrame.

profile pictureAWS
專家
Gonzalo Herreros
已回答 1 年前
  • hai
    1 年前

    The amazon-reviews-pds bucket is data source which is a publicly available. My lake (destination bucket) permissions not written in the policy and grant permissions via Lake Formation.

    Actually, if both IAM and Lake Formation grants permission, the the Glue Role is still able to write to S3, but it is not best practice.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容