403 Access Denied S3

0

Hi, I am getting AccessDenied Error on S3, while trying to write to S3 with AWS Glue.

Below is the error message: com.amazon.ws.emr.hadoop.fs.shaded.com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied;

Below are the Glue Job details:

  1. AWS Glue reads from SAP Hana table and tries to write the data to S3 bucket.
  2. The SAP Hana database is hosted on EC2 on another AWS account.
  3. The Glue Job role has full access to S3 bucket.
  4. I verified in the Glue job by doing dataframe.show() that its able to fetch the data from SAP
  5. For troubleshooting, I created another aws glue job which reads a file from S3 bucket and writes to same bucket in another folder. And this works fine. But when I read from Sap database and write to S3 , it throws AccessDenied error.

Please advise.

preguntada hace 3 meses327 visualizaciones
2 Respuestas
1

Did you check if service role has access to KMS key that is being used in S3 bucket object encryption. Also make sure that there is no explicit deny in KMS key policy. This re:Post Knowledge Center Article exactly explains this and I'm quite sure this would solve the problem.

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERTO
respondido hace 3 meses
0

Hi!

The 403 Access Denied error in S3 when using AWS Glue typically indicates a permissions issue. Let's try resolve this:

  1. IAM Role Permissions: Ensure the Glue IAM role has s3:PutObject, s3:GetObject, and s3:ListBucket permissions.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:ListBucket"
          ],
          "Resource": [
            "arn:aws:s3:::your-bucket-name",
            "arn:aws:s3:::your-bucket-name/*"
          ]
        }
      ]
    }
  2. Bucket Policy: Ensure the S3 bucket policy allows the Glue role to perform the necessary actions.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {"AWS": "arn:aws:iam::your-account-id:role/glue-job-role"},
          "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:ListBucket"
          ],
          "Resource": [
            "arn:aws:s3:::your-bucket-name",
            "arn:aws:s3:::your-bucket-name/*"
          ]
        }
      ]
    }
  3. Cross-Account Access: If SAP Hana is in another account, ensure cross-account permissions include the necessary actions.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {"AWS": "arn:aws:iam::other-account-id:role/glue-job-role"},
          "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:ListBucket"
          ],
          "Resource": [
            "arn:aws:s3:::your-bucket-name",
            "arn:aws:s3:::your-bucket-name/*"
          ]
        }
      ]
    }
  4. VPC Endpoint: If your Glue job is running in a VPC, ensure that a VPC endpoint for S3 is correctly configured and the endpoint policy allows access.

  5. Testing and Validation:

    • Run a simple Glue job that writes directly to the S3 bucket to ensure the role permissions and bucket policy are correct.
    • Double-check that no deny policies are inadvertently blocking access.

ref.: https://docs.aws.amazon.com/glue/latest/dg/create-an-iam-role.html

ref2.: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

ref3: https://docs.aws.amazon.com/glue/latest/dg/vpc-interface-endpoints.html

ref4: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html

profile picture
EXPERTO
respondido hace 3 meses
profile picture
EXPERTO
revisado hace 3 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas