stackoom
  简体   繁体   中英

AccessDenied error from CreateBucket Permissions for pandas to_csv to S3

 原文  2021-08-23 14:10:28       pandas/ amazon-s3/ amazon-iam

Question

I have a script running on an EC2 box that finishes by running pd.to_csv('s3://<my_bucket_name>/<file_path> .

Run locally with my AWS admin credentials, this script runs fine and deposits the csv into the right bucket.

My S3 permissions for the EC2 instance are copied and pasted out of AWS' documentation: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket.html

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListObjectsInBucket",
            "Effect": "Allow",
            "Action": ["s3:ListBucket"],
            "Resource": ["arn:aws:s3:::<my_bucket_name>"]
        },
        {
            "Sid": "AllObjectActions",
            "Effect": "Allow",
            "Action": "s3:*Object*",
            "Resource": ["arn:aws:s3:::<my_bucket_name>/*"]
        }
    ]
}

When run on the EC2 instance, my error is botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the CreateBucket operation: Access Denied .

I don't understand why pandas/s3fs is trying to create a bucket when mine already does exist. Suggestions elsewhere was to just provide s3:* access to ec2, but I'd prefer to be a little more restrictive than no restrictions.

Any thoughts on how to resolve this?

2 answers

solution1
 1 ACCPTED  2021-08-25 17:09:15

Turns out this was more of an issue with The aws batch role that was running the ec2 instance. The write permissions are good enough to write to S3 without bucket listing privileges. The AccessDenied error was a red herring at the more general error that no privileges were being passed to the instance.

solution2
 0  2021-08-25 01:15:53

A quick look at the Pandas codebase didn't show me anything concrete, but my guess would be that it's checking to see if the bucket exists before listing/updating the objects and failing because it doesn't have the s3:ListAllMyBuckets permission .

You could confirm or deny this theory by giving your role that action (in its own statement), which would hopefully avoid having to give s3:* to it.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AccessDenied for ListObjects for S3 bucket when permissions are s3:* Boto3 S3 error - AccessDenied when calling the PutObjectAcl AccessDenied for ListObjectsV2 operation for S3 bucket AWS DMS service: creating target endpoint for S3 is throwing error Role is not configured properly.AccessDenied AWS S3 Generating Signed Urls ''AccessDenied'' Cross-account IAM roles giving Service: Amazon S3; Status Code: 403; Error Code: AccessDenied How to read a csv file from an s3 bucket using Pandas in Python AWS S3 Boto3 Python - An error occurred (AccessDenied) when calling the DeleteObject operation: Access Denied AWS Glue: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Getting "AccessDenied: Access Denied" inside lambda when getting an object from s3
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM