Granting User Access to AWS Textract via IAM Identity Center Permission Set only works when giving Get/Put/List for all/* buckets.


I have set up a user in the IAM Identity Center console that is assigned to a group that I'd like to only have access to a few select s3 buckets and the AWS Textract service. I've created a group with the following permissions to allow access to certain specific buckets as well as the textract service itself via the IAM permissions JSON below (modified for privacy reasons): { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "textract:*", "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::<<my_bucket_name>>", "arn:aws:s3:::<<my_bucket_name>>/*", "arn:aws:s3:::textract-console-us-east-1-<<auto_created_id_1>>", "arn:aws:s3:::textract-console-us-east-1-<<auto_created_id_1>>/*", "arn:aws:s3:::textract-adapters-us-east-1-<<auto_created_id_2>>", "arn:aws:s3:::textract-adapters-us-east-1-<<auto_created_id_2>>/*" ] }, { "Effect": "Allow", "Action": "logs:*", "Resource": "*" } ] }

When signing in as this user and navigating to textract I get errors on the demo page (We are unable to access the S3 object that's specified for processing.), the Bulk Document Uploader page (Your S3 bucket couldn't be created. Please try again or contact your account administrator.) when choosing to Import documents from S3 bucket, and the Custom Queries page for a given test adapter that's been created (We are unable to access the adapter bucket). I have also modified the <<my_bucket_name>> bucket's permissions to have the following permissions: { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowTextractToReadObjects", "Effect": "Allow", "Principal": { "Service": "" }, "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::<<my_bucket_name>>", "arn:aws:s3:::<<my_bucket_name>>/*" ] } ] } and I am still getting the aforementioned errors.

The ONLY solution that I've found so far is to grant access to all buckets within my account by adding the following two lines to the first IAM policy above in the Resource section: "arn:aws:s3:::*", "arn:aws:s3:::*/*"

I've also tried changing my Action to * in the first policy while removing the arn:aws:s3:::* sections to no avail.

I've also verified that the created bucket is in the same region "us-east-1" as the drop-down in the top-corner of the web interface.

Can anyone help me diagnose why this user I've created is unable to access the service unless they have full access to all s3 buckets in our account?

Any help would be greatly appreciated!

1 Answer

Solved it myself...

Two things:

  1. I needed to add the following (not-best-practice-but-still-necessary) permissions to my IAM user: { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation" ], "Resource": "arn:aws:s3:::*" },
  2. I needed to add the public resources bucket (which the documentation annoyingly doesn't mention) to my more limited GetObject/PutObject/ListBucket permissions. I was able to find the bucket name by inspecting the images from a user that had full s3 access and seeing their web urls to derive the bucket name: arn:aws:s3:::textract-public-assets-us-east-1

It seems as though a lot of the web-based interfaces on AWS require this ListAllMyBuckets and GetBucketLocation permission in order to function and of course the demo requires a user's permission to be granted access to that bucket.

answered 2 months ago
profile picture
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions