2

I am trying to create a crawler in AWS Glue, but it gives error: {"service":"AWSGlue","statusCode":400,"errorCode":"AccessDeniedException","requestId":"<requestId>","errorMessage":"Account <accountId> is denied access.","type":"AwsServiceError"}.

This is what I've done so far:

  1. Create a database in AWS Glue
  2. Add tables in the database using a crawler
  3. Name the crawler
  4. Choose Amazon S3 as the data store and specified a path to a csv file inside a bucket in my account
  5. Choose an existing IAM role I've created before
  6. Choose a database I've created before
  7. Press finish.

When I press finish, the above error is occurred.

I have grant AdministratorAccess both to IAM user and role used to create the crawler, so I assume there is no lack of permission issues. The bucket used is not encrypted and located in the same region as the AWS Glue.

I also have tried to create another database and specified a path to a different csv file but it is not solved the problem.

Any help would be very appreciated. Thanks.

Prawira
  • 31
  • 4
  • Is this your own account, or part some AWS Organization? – Marcin Aug 02 '22 at 05:08
  • It is not my account, the account's root user is owned by an organization, but the root user gives me the access to modify the IAM users, roles, and policies, so that I can grant "AdministratorAccess" as I stated in my question. – Prawira Aug 02 '22 at 05:17
  • AWS Organization can overwrite any `AdministratorAccess` using SCPs. Its possible that some SCPs deny you access. You have to discuss this with whoever administers your AWS Org. – Marcin Aug 02 '22 at 05:44
  • Thanks @Marcin for your suggestions. I will try to contact the owner (the root user) of this account. – Prawira Aug 02 '22 at 08:56

2 Answers2

1

I have contacted the owner (the root user) of this account and the owner asked for help to AWS Premium Support. The AWS Premium Support told us that all the required permissions to create AWS Glue Crawler are already provided and there is no SCPs attached to the account. After waiting around 7-working-day, finally I can create AWS Glue Crawler without any errors.

Unfortunately, I don't have any further information on how the AWS Premium Support solve the issue. For those of you who encounter similar errors like me, just try to contact the owner of the account, because most likely the issue is out of your control. Hope this helps in the future. Thanks.

Prawira
  • 31
  • 4
  • +1 to the above. Even if you are facing the issue using the admin permissions, highly likely there are restrictions (eg. "minimal usage") on the account level. If you are root user, you do not even need to have a premium support with AWS, you can create a ticket in the Account & Billing category and ask the support to check if this is the case and if they can allow you to create a couple of jobs in a specific region. Prepare that it will take 1-2 weeks. – aek Dec 01 '22 at 08:47
0

After Lot of research I found this is permission issue of Amazon S3 service in IAM. Give permission of S3Services in IAM Role.

Deepu
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Mar 21 '23 at 02:16