1

I am trying to run AWS Translate job on Batch data stored in S3 with the following python code

role_arn='arn:aws:iam::<account-id>:role/service-role/AmazonTranslateServiceRoleS3FullAccess-ExploreML'
inp_data_path='s3://exploring-ml/aws-translate/assets/input/'
opt_data_path='s3://exploring-ml/aws-translate/assets/output/'

response = translate_client.start_text_translation_job(
    JobName='string',
    InputDataConfig={
        'S3Uri': inp_data_path,
        'ContentType': 'text/plain'
    },
    OutputDataConfig={
        'S3Uri': opt_data_path
    },
    DataAccessRoleArn=role_arn,
    SourceLanguageCode='zh',
    TargetLanguageCodes=[
        'en'
    ]
)

I can confirm that role has full S3 access, However, when executing above code, I get following error

---------------------------------------------------------------------------
InvalidRequestException                   Traceback (most recent call last)
<ipython-input-11-2bf8de09e0fe> in <module>
     11     SourceLanguageCode='zh',
     12     TargetLanguageCodes=[
---> 13         'en'
     14     ]
     15 )

~/.local/share/virtualenvs/exploring-ml-tools-zug9J9gH/lib/python3.6/site-packages/botocore/client.py in _api_call(self, *args, **kwargs)
    314                     "%s() only accepts keyword arguments." % py_operation_name)
    315             # The "self" in this scope is referring to the BaseClient.
--> 316             return self._make_api_call(operation_name, kwargs)
    317 
    318         _api_call.__name__ = str(py_operation_name)

~/.local/share/virtualenvs/exploring-ml-tools-zug9J9gH/lib/python3.6/site-packages/botocore/client.py in _make_api_call(self, operation_name, api_params)
    633             error_code = parsed_response.get("Error", {}).get("Code")
    634             error_class = self.exceptions.from_code(error_code)
--> 635             raise error_class(parsed_response, operation_name)
    636         else:
    637             return parsed_response

InvalidRequestException: An error occurred (InvalidRequestException) when calling the StartTextTranslationJob operation: NO_READ_ACCESS_TO_S3: The provided data access role does not have proper access to the input/output S3 URI.

Any pointer if I am missing anything. Also for clarification, this is running in Ireland where the service is available.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
bhavin tandel
  • 65
  • 10
  • Please edit your question to show the contents of `inp_data_path`. (Feel free to change your bucket name.) It is possible that you are providing the wrong format. – John Rotenstein Jun 23 '20 at 21:51
  • I have added the bucket name in the code. Also just for clarifying, role has s3:* access on all resources "*" – bhavin tandel Jun 24 '20 at 11:33
  • Strange... I tried your code in the Sydney region and got an error that `Your account is not authorized to make this call`. I then did it in Ohio and got `Translate get AccessDenied exception when assume the IAM Role`. How did you configure the Trust Policy in the IAM Role? – John Rotenstein Jun 24 '20 at 12:16
  • My role is in same region and it trusts translate like { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "translate.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } – bhavin tandel Jun 24 '20 at 12:30

1 Answers1

1

I tried to reproduce this situation and received:

botocore.errorfactory.InvalidRequestException: An error occurred (InvalidRequestException) when calling the StartTextTranslationJob operation: OUTPUT_S3_URI_INVALID: The provided output S3 URI is invalid or does not exist.

I then changed my output to point purely to the bucket (with no sub-directory) and it worked!

I then copied a file to a sub-directory (eg aws cp foo.txt s3://my-bucket/aws-translate/assets/output/) and re-ran the program and it worked!

Bottom line: Make sure that the output directory already exists (either by putting a file in that path, or using "Create Folder" in the S3 management console to create the output directory).

For the record, my IAM Role had the AmazonS3FullAccess policy and a trust policy of:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "translate.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • I tried your fix but it didn't work fo me. I tried with new empty bucket as well as by creating empty folder but I get same error. – bhavin tandel Jun 25 '20 at 15:24