Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Organization's account access AWS S3 through Glue Crawler (Error: Account *** denied access)

0

Hi, I was trying to implement a system on AWS. The system has one account A (not root) in an organization.

Problem: Account A has an S3 bucket and I need to create a Glue Crawler to read S3 data.

Encountered error: Glue Crawler refused to be created due to the error "Account *** denied access" on Account B.

Attemp: I have already disabled SCP for the organization. Glue's role was attached with these policies: "AWSGlueConsoleFullAccess", "AWSGlueServiceRole" and this custom one:

{
            "Effect": "Allow",
            "Action": [
                "s3:*Object",
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>/*"
            ]
        }

Glue's role has already allow trust relation with glue to assumerole as well:

{
            "Effect": "Allow",
            "Principal": {
                "Service": "glue.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }

If anyone has been through this scenario or has encountered the same issue, please help me with this. Thanks for the help.

Themen
SpeicherAnalysenSicherheit, Identität & Konformität
Tags
Amazon Simple Storage ServiceAWS GlueAWS IAM IdentitätszentrumAmazon S3 Access Grants
Sprache
English
KLaHD
gefragt vor 5 Monaten290 Aufrufe
1 Antwort
0

It suggests a permission issue. I would consider troubleshooting it with the following steps:

  • Ensure that the S3 bucket policy in Account A grants the necessary permissions to the role in Account B that the Glue Crawler is using. The S3 bucket policy should explicitly allow the actions (s3:GetObject, s3:ListBucket, etc.). Here's an example of what the policy might look like:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<Account-B-ID>:role/<Glue-Role-Name>"
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>",
                "arn:aws:s3:::<bucket-name>/*"
            ]
        }
    ]
}
  • Verify that the IAM role assigned to the Glue Crawler in Account B has the necessary permissions. The custom policy you've attached seems appropriate, but double-check that it covers all required actions and resources.
  • Even though you've disabled SCP for the organization, ensure that there are no other SCPs or permission boundaries that might be restricting access.
  • If your S3 bucket or Glue Crawler is in a VPC, ensure that the networking setup (like VPC endpoints for S3) does not restrict access.
  • Check CloudTrail in both accounts for any additional information about the access denial.

Let me know if you have any further questions to discuss. Best regards,

Mina

edit: removed email address: Zack M

profile picture
EXPERTE
Mina Gobrial - OptimeCloud
beantwortet vor 5 Monaten
profile picture
EXPERTE
Giovanni Lauria
überprüft vor einem Monat

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt