2

I am having a question regarding the DataAccessRoleArn setting in boto3 start_transcription_job function

Here is my code below:

transcribe.start_transcription_job(TranscriptionJobName=transcriptname,                                        
                                            Media = {"MediaFileUri": s3_url},
                                            MediaFormat = file_type,
                                            OutputBucketName = outputbucket,
                                            Settings={
                                                'ShowSpeakerLabels':True,
                                                'MaxSpeakerLabels':2
                                            },
                                            JobExecutionSettings ={
                                                'AllowDeferredExecution':True,
                                                'DataAccessRoleArn':'arn:aws:iam::358110801253:role/service-role/transcribe-role-k5easa7b'
                                            },
                                            LanguageCode = language)

If I comment out JobExecutionSettings portion, it works perfectly. But I want to turn on the AllowDeferredExecution so that I have to assign a DataAccessRoleArn. The role I assign here have full access to lambda and S3, but I am still receiving an Error like below:

[ERROR] ClientError: An error occurred (AccessDeniedException) when calling the StartTranscriptionJob operation: User: arn:aws:sts::358110801253:assumed-role/transcribe-role-k5easa7b/transcribe is not authorized to perform: iam:PassRole on resource: arn:aws:iam::358110801253:role/service-role/transcribe-role-k5easa7b
Traceback (most recent call last):
  File "/var/task/lambda_function.py", line 43, in lambda_handler
    transcribe.start_transcription_job(TranscriptionJobName=transcriptname,
  File "/var/runtime/botocore/client.py", line 316, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/runtime/botocore/client.py", line 626, in _make_api_call
    raise error_class(parsed_response, operation_name)END RequestId: 88e3bb78-60c1-42e5-a2e1-717918b6f7b9
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Meng Ge
  • 21
  • 1
  • 6
  • 1
    Grant your iam user `iam:PassRole` permission would solve the issue – jellycsc Jul 09 '20 at 17:01
  • The role may have full access to lambda and S3, but have you gone into the bucket and granted access to the iam? – CodeShaman Jul 09 '20 at 19:29
  • @jellycsc, do you know how to grant iam user iam:PassRole. I cannot find it in any policy – Meng Ge Jul 09 '20 at 20:40
  • @jellycsc this is what i found and used to grant passrole access https://docs.aws.amazon.com/iot/latest/developerguide/pass-role.html, after I did that, the error message changed to [ERROR] BadRequestException: An error occurred (BadRequestException) when calling the StartTranscriptionJob operation: The S3 URI that you provided can't be accessed. Make sure that you have read permission and try your request again. (again if I comment out JobExecutionSettings, it works, so i dont think it's S3 URI issue – Meng Ge Jul 09 '20 at 21:08

0 Answers0