By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

403 Access Denied S3

0

Hi, I am getting AccessDenied Error on S3, while trying to write to S3 with AWS Glue.

Below is the error message: com.amazon.ws.emr.hadoop.fs.shaded.com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied;

Below are the Glue Job details:

  1. AWS Glue reads from SAP Hana table and tries to write the data to S3 bucket.
  2. The SAP Hana database is hosted on EC2 on another AWS account.
  3. The Glue Job role has full access to S3 bucket.
  4. I verified in the Glue job by doing dataframe.show() that its able to fetch the data from SAP
  5. For troubleshooting, I created another aws glue job which reads a file from S3 bucket and writes to same bucket in another folder. And this works fine. But when I read from Sap database and write to S3 , it throws AccessDenied error.

Please advise.

Topics
StorageAnalytics
Tags
Amazon Simple Storage ServiceAWS Glue
Language
English
jub_atom_dl
asked 2 months ago292 views
2 Answers
1

Did you check if service role has access to KMS key that is being used in S3 bucket object encryption. Also make sure that there is no explicit deny in KMS key policy. This re:Post Knowledge Center Article exactly explains this and I'm quite sure this would solve the problem.

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERT
secondabhi_aws
answered 2 months ago
0

Hi!

The 403 Access Denied error in S3 when using AWS Glue typically indicates a permissions issue. Let's try resolve this:

  1. IAM Role Permissions: Ensure the Glue IAM role has s3:PutObject, s3:GetObject, and s3:ListBucket permissions.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::your-bucket-name",
        "arn:aws:s3:::your-bucket-name/*"
      ]
    }
  ]
}

  2. Bucket Policy: Ensure the S3 bucket policy allows the Glue role to perform the necessary actions.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::your-account-id:role/glue-job-role"},
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::your-bucket-name",
        "arn:aws:s3:::your-bucket-name/*"
      ]
    }
  ]
}

  3. Cross-Account Access: If SAP Hana is in another account, ensure cross-account permissions include the necessary actions.

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::other-account-id:role/glue-job-role"},
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::your-bucket-name",
        "arn:aws:s3:::your-bucket-name/*"
      ]
    }
  ]
}

  4. VPC Endpoint: If your Glue job is running in a VPC, ensure that a VPC endpoint for S3 is correctly configured and the endpoint policy allows access.

  5. Testing and Validation:

    • Run a simple Glue job that writes directly to the S3 bucket to ensure the role permissions and bucket policy are correct.
    • Double-check that no deny policies are inadvertently blocking access.

ref.: https://docs.aws.amazon.com/glue/latest/dg/create-an-iam-role.html

ref2.: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

ref3: https://docs.aws.amazon.com/glue/latest/dg/vpc-interface-endpoints.html

ref4: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html

profile picture
Vitor Castellani
answered 2 months ago
profile picture
EXPERT
Adeleke Adebowale J
reviewed 2 months ago

Relevant content