Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

Cross-Account s3 buck access from Rekognition Service

0

Hi,

I have two different aws account.

Account 1: Stores images and videos inside s3 bucket in region us-east-1
Account 2. Rekognition service is running in region us-east-1

From my application I am able to use rekognition service and get content moderation labels if my rekognition service and s3 bucket belongs to same account and region. (eg - Both belongs to Account 2).

But when I am trying to access s3 bucket data from different account, it's giving me error. (eg - S3 bucket created by Account 1, and Rekognition service running in Account 2)

Error:

software.amazon.awssdk.services.rekognition.model.InvalidS3ObjectException: Unable to get object metadata from S3. Check object key, region and/or access permissions. (Service: Rekognition, Status Code: 400, Request ID: 9c15c94b-0568-4f59-bfae-5b21927e52c1)
	at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handleErrorResponse(CombinedResponseHandler.java:125)
	at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handleResponse(CombinedResponseHandler.java:82)
	at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handle(CombinedResponseHandler.java:60)
	at software.amazon.awssdk.core.internal.http.CombinedResponseHandler.handle(CombinedResponseHandler.java:41)

I have also tried setting below mentioned bucket policy, but nothing is working. I don't want to copy data from Account 1 to Account 2 and run the service. Is there any way, to run rekognition content moderation service in Account 2 and access data from Account 1.

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::<account-id>:user/<username>"
			},
			"Action": "s3:*",
			"Resource": "arn:aws:s3:::<bucket-name>"
		}
	]
}

Not able to figure out, what I am missing.

Thank You.

Temas
AlmacenamientoSeguridad, identidad y cumplimientoAprendizaje automático e IA
Etiquetas
Amazon Simple Storage ServiceAWS Identity and Access ManagementAmazon RekognitionPolíticas de IAM
Idioma
English
foiwe-admin
preguntada hace un año688 visualizaciones
2 Respuestas
1

Hi,

There are 2 permissions you will need to add:

  1. In your bucket policy, you need to allow your Rekognition IAM arn in account 2 to be able to access to your S3 in bucket 1, try with the bucket policy below:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<bucket-name>"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
            },
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::<bucket-name>/*"
        }
    ]
}
  1. In the IAM role of your Rekognition service in account 2, you need to add the policy with permission to access the cross account S3 bucket, for example:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>/*",
                "arn:aws:s3:::<bucket-name>"
            ]
        }
    ]
}

In addition, if you are S3 bucket is encrypted, you will need to modify the KMS key policy as well as the Rekognition service role to allow Rekognition service role to be able to encrypt and decrypt using the key, for example, for Rekognition servcie role, add additional policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>/*",
                "arn:aws:s3:::<bucket-name>"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "{REPLACE_WITH_YOUR_KMS_KEY_ARN}"
        }
    ]
}

For the KMS policy, add account 2 to be able to use the KMS key in account 1(data account with S3)

Let me know how it goes,

AWS
Jady
respondido hace un año
0

Hi @Jady,

Thank you for your reply.

Setting below permission alone to my Acount 1's s3 bucket worked. As encryption is disabled.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::<bucket-name>"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "{REPLACE_WITH_YOUR_IAM_ARN}"
            },
            "Action": [
                "s3:DeleteObject",
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::<bucket-name>/*"
        }
    ]
}

Regards

foiwe-admin
respondido hace un año
  • Jady
    hace un año

    Great! please accept the answer if it works for you, and happy holidays!

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante