Grant Rekognition cross-account S3 access

0

What's the correct way to grant Rekognition cross-account S3 access?

When I grant the root of the AWS account to access the bucket, then Rekognition works.

However, if I use the service principal (rekognition.amazonaws.com), Rekognition model training fails with:

error_failed_images_s3_copy

failed to copy images from s3 bucket.

profile picture
m0ltar
asked 2 months ago99 views
1 Answer
0

Rekognition will only have access to a S3 bucket that the user/role who sends the request have access to. So in this case, if you're sending a request from account A with an image that's stored in S3 bucket C that A doesn't have access to, Rekognition won't be able to process your request. If you attach a policy to bucket S that allows access from the user/role of A, then the request should go through. This is basically the case of "When I grant the root of the AWS account to access the bucket, then Rekognition works." If you attach a policy to only allow the service principle to access bucket S, at this point account A would not have access to bucket S, then the requesst would fail.

AWS
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions