7

I am running a lambda which will automatically trigger a comprehend job through the use of boto3.

However, for some reason my IAM is not working! I have the following permissions on my role for this job:

  • IAMFullAccess
  • AmazonS3FullAccess
  • ComprehendFullAccess
  • AWSLambdaExecute

But, when the job is created in comprehend, it instantly fails with the following error message:

NO_WRITE_ACCESS_TO_OUTPUT: The provided data access role does not have write access to the output S3 URI.

Any ideas on how to fix this? I have given the role full S3 permission?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Owen Murray
  • 135
  • 1
  • 8
  • Can you check if the role attached to comprehend has the required permissions? Ref: https://docs.aws.amazon.com/comprehend/latest/dg/access-control-managing-permissions.html#auth-role-permissions – Hassan Murtaza Oct 21 '19 at 12:20
  • @HassanMurtaza I have edited and even created a new role with full access to read, write and list content from S3 bucket and still have the issue. – Owen Murray Oct 21 '19 at 13:25
  • Are you sure S3 bucket and Comprehend working on the same region? – Nghia Do Feb 16 '21 at 02:52

2 Answers2

1

Can you check your role's trust policy and see if comprehend is trusted?

An example trust policy from here - https://docs.aws.amazon.com/comprehend/latest/dg/access-control-managing-permissions.html

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "comprehend.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
Schleir
  • 1,775
  • 2
  • 15
  • 14
0

All IAM API calls are asynchronous. So, if you are creating roles and policies via boto3 and immediately assuming them and running comprehend, they might not work. You can either wait by sleeping for a few seconds or have a retry mechanism. That's how I solved this issue.

AmritK10
  • 1
  • 1