- Más nuevo
- Más votos
- Más comentarios
Did you check if service role has access to KMS key that is being used in S3 bucket object encryption. Also make sure that there is no explicit deny in KMS key policy. This re:Post Knowledge Center Article exactly explains this and I'm quite sure this would solve the problem.
Comment here if you have additional questions, happy to help.
Abhishek
Hi!
The 403 Access Denied
error in S3 when using AWS Glue typically indicates a permissions issue. Let's try resolve this:
-
IAM Role Permissions: Ensure the Glue IAM role has
s3:PutObject
,s3:GetObject
, ands3:ListBucket
permissions.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::your-bucket-name", "arn:aws:s3:::your-bucket-name/*" ] } ] }
-
Bucket Policy: Ensure the S3 bucket policy allows the Glue role to perform the necessary actions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::your-account-id:role/glue-job-role"}, "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::your-bucket-name", "arn:aws:s3:::your-bucket-name/*" ] } ] }
-
Cross-Account Access: If SAP Hana is in another account, ensure cross-account permissions include the necessary actions.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::other-account-id:role/glue-job-role"}, "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::your-bucket-name", "arn:aws:s3:::your-bucket-name/*" ] } ] }
-
VPC Endpoint: If your Glue job is running in a VPC, ensure that a VPC endpoint for S3 is correctly configured and the endpoint policy allows access.
-
Testing and Validation:
- Run a simple Glue job that writes directly to the S3 bucket to ensure the role permissions and bucket policy are correct.
- Double-check that no deny policies are inadvertently blocking access.
ref.: https://docs.aws.amazon.com/glue/latest/dg/create-an-iam-role.html
ref2.: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
ref3: https://docs.aws.amazon.com/glue/latest/dg/vpc-interface-endpoints.html
ref4: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html
Contenido relevante
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace 2 años
- OFICIAL DE AWSActualizada hace un año