5

Every time I run the command 

aws rekognition detect-labels --image "S3Object={Bucket=BucketName,Name=picture.jpg}" --region us-east-1

I get this error.

InvalidS3ObjectException: An error occurred (InvalidS3ObjectException) when calling the DetectLabels operation: Unable to get image metadata from S3.  Check object key, region and/or access permissions.

I am trying to retrieve labels for a project I am working on but I can't seem to get past this step. I configured aws with my access key, secret key, us-east-1 region, and json as my output format.

I have also tried the code below and I receive the exact same error (I correctly Replaced BucketName with the name of my bucket.)

import boto3

BUCKET = "BucketName"
KEY = "picture.jpg"

def detect_labels(bucket, key, max_labels=10, min_confidence=90, region="eu-west-1"):
    rekognition = boto3.client("rekognition", region)
    response = rekognition.detect_labels(
        Image={
            "S3Object": {
                "Bucket": bucket,
                "Name": key,
            }
        },
        MaxLabels=max_labels,
        MinConfidence=min_confidence,
    )
    return response['Labels']


for label in detect_labels(BUCKET, KEY):
    print "{Name} - {Confidence}%".format(**label)

I am able to see on my user account that it is calling Rekognition. Image showing it being called from IAM.

It seems like the issue is somewhere with my S3 bucket but I haven't found out what.

Rjbeckwith
  • 720
  • 8
  • 16
  • 1
    It is apparent from the error that your request is reaching Rekognition, which can't access the object in the bucket. Rekognition will not make a cross-region request to S3 -- the bucket must be in the same region where you're invoking Rekognition. http://docs.aws.amazon.com/rekognition/latest/dg/API_S3Object.html – Michael - sqlbot Jun 14 '17 at 13:10
  • @michael-sqlbot My bucket was in US east Ohio but the URL was saying us-east-1 so I thought it was in the Virginia one. I fixed it. I works now thank you very much. – Rjbeckwith Jun 14 '17 at 19:47
  • I'm facing the same issue, but nowadays AWS doesn't specify bucket regions, as its beyond our control. What to do? – Aakash Basu Jan 03 '20 at 11:40

3 Answers3

5

Region of S3 and Rekognition should be the same for stability reasons.

More info: https://forums.aws.amazon.com/thread.jspa?threadID=243999

Satish Gadhave
  • 2,880
  • 3
  • 20
  • 27
0

Kindly check your IAM Role Policies/Permissions, Also check the same for the role created for the lambda function. It's better to verify the policy using IAM Policy Checker.

I am facing a similar issue, This might due to the Permissions and Policy attached with the IAM Roles and with S3 Bucket. Need to check the metadata as well for the objects in S3 bucket.

My S3 bucket Policy:

{
"Version": "2012-10-17",
"Id": "Policy1547200240036",
"Statement": [
    {
        "Sid": "Stmt1547200205482",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::459983601504:user/veral"
        },
        "Action": [
            "s3:GetObject",
            "s3:PutObject"
        ],
        "Resource": "arn:aws:s3:::esp32-rekognition-459983601504/*"
    }
]
}

Cross-origin resource sharing (CORS):

[
{
    "AllowedHeaders": [
        "*"
    ],
    "AllowedMethods": [
        "PUT",
        "POST",
        "GET",
        "DELETE"
    ],
    "AllowedOrigins": [
        "*"
    ],
    "ExposeHeaders": []
}
]
Veral Agarwal
  • 1
  • 1
0

If you use Server Side encryption for the bucket via KMS, remember to also have/give access to IAM role to decrypt using the KMS

david saji
  • 51
  • 6