How do I troubleshoot the "User/IAM role X is not authorized to perform Y on resource Z" error in AWS Glue?

4 minute read
0

My AWS Glue job fails with a lack of AWS Identity and Access Management (IAM) permissions error even though I have the required permissions configured.

Resolution

In AWS Glue, your action can fail out with lack of permissions error for the following reasons:

  • The IAM user or role that you're using doesn't have the required permissions.
  • The IAM user is part of an organization in AWS Organizations that has a service control policy (SCP) in place that restricts specific actions
  • The subnet used has a virtual private cloud (VPC) endpoint with a policy that allows or denies some actions.

The IAM user or role being used doesn't have the required permissions

See this example of a lack of permissions error:

"Failed to create job gluestudio-service.us-east-1.amazonaws.com] with exception "errorMessage":"User: arn:aws:sts::<AccountID>:assumed-role/<ConsoleAssumedRole>/<user> is not authorized to perform: iam:PassRole on resource: arn:aws:iam::<AccountID>:role/<GlueRoleName>"

You can break this error down into three factors:

  • The user/IAM role calling the action - arn:aws:iam::111111111111111:role/service-role/AWSGlue-xxxxxx
  • The action - iam:PassRole
  • The resource that the action is being performed on - arn:aws:iam::xxxxxxxxxxxxxxxx:role/AWSGlue

Check that the user or IAM role being used has the required action on the resource.

1.    Open the IAM console.

2.    Search for the user or IAM role you're using, and check the policies attached to it. In the previous example, the role is arn:aws:iam::xxxxxxxxx:user/yyyyyyyyyyy.

3.    Add an inline policy similar to the following that allows the required action on the resource:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "FirstStatement",
      "Effect": "Allow",
      "Action": ["Action"],
      "Resource": "<ARN of resource>"
    }
  ]
}

Note: Replace Action and ARN of resource in this example with the specific action and resource that you previously identified from the error message.

Using the previous example, your policy looks similar to this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PassRolePermissions",
      "Effect": "Allow",
      "Action": [
        "iam:PassRole"
      ],
      "Resource": [
        "arn:aws:iam::<AccountID>:role/<GlueRoleName>"
      ],
      "Condition": {
        "StringLike": {
          "iam:PassedToService": [
            "glue.amazonaws.com"
          ]
        }
      }
    }
  ]
}

An organization's SCP is preventing an action on the resource

You might receive an error similar to the following:

"createJob: AccessDeniedException: User: arn:aws:sts::111111111111111:assumed-role/xxxxxxxxxx is not authorized to perform: glue:CreateJob on resource: arn:aws:glue:region:22222222222222:job/glue-job with an explicit deny in a service control policy"

This error is thrown because your IAM user is part of an organization that has SCPs in place. The SCP is preventing you from performing specific actions. To check the permissions associated with your SCP, follow these steps:

1.    Open the IAM console.

2.    Choose Organization Activity, and then choose the Attached SCP tab.

3.    Review the SCPs attached to your IAM user. Make sure that you have the permissions to need to complete the desired action on the resource you're using.

The subnet used has a VPC endpoint with a policy that allows or denies some actions

You might receive an error similar to the following:

"User: arn:aws:sts::1111111111:assumed-role/xxxxxxxxx/yyyyyyyyyyy is not authorized to perform: glue:CreateJob because no VPC endpoint policy allows the glue:CreateJob action (Service: Glue, Status Code: 400, Request ID:111111111111111)"

To resolve this issue, follow these steps:

1.    Open the Amazon Virtual Private Cloud (Amazon VPC) console.

2.    Choose Endpoints, and then choose the VPC endpoint attached to the subnet you're using to complete your action.

3.    Under Actions, choose Manage Policy.

4.    Update the VPC endpoint policy with the desired action on the required resource.

In this example, you update the VPC endpoint policy required to add the action glue:CreateJob:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Principal": "*",
      "Effect": "Allow",
      "Action": [
        "glue:CreateJob"
      ],
      "Resource": "*"
    }
  ]
}

Related information

Create an IAM role for AWS Glue

AWS OFFICIAL
AWS OFFICIALUpdated a year ago