How do I resolve the "Access Denied" error in Kinesis Data Firehose when I write to an Amazon S3 bucket?

2 minute read
0

I want to write data from Amazon Kinesis Data Firehose to an Amazon Simple Storage Service (Amazon S3) bucket. The Amazon S3 bucket is encrypted by AWS Key Management Service (AWS KMS), and I receive an "Access Denied" error message.

Resolution

To resolve the "Access Denied" error, either modify your AWS KMS key policy. Or, add the AWS Identity and Access Management (IAM) role for your Kinesis Data Firehose. 

Modify the AWS KMS key policy

To modify the AWS KMS key policy, complete the following steps:

1.    Open the AWS KMS console.

2.    Choose the AWS KMS key that encrypts your S3 bucket.

3.    Choose Switch to policy view.

4.    Check that you have the required permissions in the AWS KMS key policy.

5.    Update your policy to grant Kinesis Data Firehose access to the AWS KMS key:

{            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account-ID>:role/<FirehoseRole>"
            },
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*",
                "kms:DescribeKey"
            ],
            "Resource": "<ARN of the KMS key>"
}

Note: In the preceding policy, specify the ARN of the AWS KMS key that encrypts your S3 bucket.

6.    Choose Save.

Add your Kinesis Data Firehose IAM role

Important: Make sure that the IAM role for Kinesis Data Firehose has the required Amazon S3 permissions.

To add your Kinesis Data Firehose IAM role, complete the following steps:

1.    Open the AWS KMS console.

2.    Choose the AWS KMS key that encrypts your S3 bucket.

3.    In the Key users section, choose Add.

4.    Select your Kinesis Data Firehose IAM role.

5.    Choose Add.

Related information

Editing keys

AWS OFFICIAL
AWS OFFICIALUpdated a year ago