I am trying to put a dummy file from Glue which is in Account B to S3 bucket in account A. S3 bucket(test-bucket) is having AWS-KMS encryption with aws/s3 Managed Key enabled.
- I added below permissions in Account A- S3 bucket (test-bucket):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny PutObject if NOT using correct KMS Encryption Key",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "",
"s3:x-amz-server-side-encryption-aws-kms-key-id": "<ARN_KMS_ACCOUNT_A>"
}
}
},
{
"Sid": "Allow Glue Role in Application account to put objects in the S3 bucket",
"Effect": "Allow",
"Principal": {
"AWS": "<IAM_Glue_Role_ARN>"
},
"Action": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::test-bucket",
"arn:aws:s3:::test-bucket/*"
]
},
{
"Sid": "Only allow writes to my bucket with bucket owner full control",
"Effect": "Allow",
"Principal": {
"AWS": "<IAM_Glue_Role_ARN>"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
- Added below policy to IAM Glue role in Account B
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:Put*"
],
"Resource": "arn:aws:s3:::test-bucket*",
"Effect": "Allow"
},
{
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Resource": "<ARN_KMS_ACCOUNT_A>",
"Effect": "Allow"
}
]
}
This is my Glue Code:
s3.put_object(
Bucket='output',
Key='_SUCCESS',
ServerSideEncryption='aws:kms',
SSEKMSKeyId='<ARN_KMS_ACCOUNT_A>'
)
Getting below error while running this code from Account B Glue:
ClientError: An error occurred (KMS.NotFoundException) when calling the PutObject operation: Invalid arn ap-southeast-2
Any thoughts on this.?
