2

I'm playing around with the command line to run some sentiment analysis through aws and am running into some IAM issues. When running the "detect_dominant_language" function, I'm hitting NotAuthorizedExceptions despite having the policy in place to allow for all comprehend functions. The policy for the account is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "comprehend:*",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "iam:ListRoles",
                "iam:GetRole"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Any ideas of where I might be going wrong with this? I've triple-checked my access key to make sure that I'm referring to the correct account. When I check the policy, it's there so I'm a little bit at a loss as to the disconnect. S3 seems to be working fine as well.

Steps already taken:

  1. Resetting access key/secret access key.
  2. Creating iam policy which explicitly refers to the needed functionality and attaching it to the "Admin" user.
  3. Calling this method from the CLI (get the same error).

Below, I've included additional information that may be helpful...

Code to check iam policies:

iam = boto3.client('iam',
                   aws_access_key_id = '*********************',
                   aws_secret_access_key = '*************************************')

iam.list_attached_user_policies(UserName="Admin")

Output:

{'AttachedPolicies': [{'PolicyName': 'ComprehendFullAccess',
   'PolicyArn': 'arn:aws:iam::aws:policy/ComprehendFullAccess'},
  {'PolicyName': 'AdministratorAccess',
   'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'},
  {'PolicyName': 'Comprehend-Limitied',
   'PolicyArn': 'arn:aws:iam::401311205158:policy/Comprehend-Limitied'}],
 'IsTruncated': False,
 'ResponseMetadata': {'RequestId': '9094d8ff-1730-44b8-af0f-9222a63b32e9',
  'HTTPStatusCode': 200,
  'HTTPHeaders': {'x-amzn-requestid': '9094d8ff-1730-44b8-af0f-9222a63b32e9',
   'content-type': 'text/xml',
   'content-length': '871',
   'date': 'Thu, 20 Jan 2022 21:48:11 GMT'},
  'RetryAttempts': 0}}

Code to trigger error:

comprehend = boto3.client('comprehend',
                   aws_access_key_id = '*********************',
                   aws_secret_access_key = '********************************')

test_language_string = "This is a test string. I'm hoping that AWS Comprehend can interprete this as english..."

comprehend.detect_dominant_language(Text=test_language_string)

Output:

ClientError: An error occurred (NotAuthorizedException) when calling the DetectDominantLanguage operation: Your account is not authorized to make this call.
Okeefe Niemann
  • 91
  • 4
  • 1
    Your code runs fine for me. I wonder why it says "Your account is not authorized" -- I wonder if this is an account-related issue? Is your AWS Account part of an AWS Organizations hierarchy? – John Rotenstein Jan 21 '22 at 00:02
  • 1
    Code runs fine for me as well. Are you able to invoke any other Comprehend methods? What version of the CLI are you using? – Tyler Jan 21 '22 at 00:36

2 Answers2

2

I encountered the same error and I end up creating a new user group and a user for that particular API access. Here're the steps in a nutshell:

  • Create a user group (e.g. Research)

  • Give access to ComprehendFullAccess

  • Create a user (e.g. ComprehendUser) under the newly created user group (i.e. Research)

  • Bingo! It should work now.

How to access Amazon AWS Comprehend from btot3

Here is my code snippet:

# import packages
import boto3

# aws access credentials
AWS_ACCESS_KEY_ID = 'your-access-key'
AWS_SECRET_ACCESS_KEY = 'your-secret-key'

comprehend = boto3.client('comprehend',
                          aws_access_key_id=AWS_ACCESS_KEY_ID,
                          aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
                          region_name='us-east-1')

test_language_string = "This is a test string. I'm hoping that AWS Comprehend can interprete this as english..."
comprehend.detect_dominant_language(Text=test_language_string)

Expected Output

{'Languages': [{'LanguageCode': 'en', 'Score': 0.9753355979919434}],
 'ResponseMetadata': {'RequestId': 'd2ab429f-6ff7-4f9b-9ec2-dbf494ebf20a',
  'HTTPStatusCode': 200,
  'HTTPHeaders': {'x-amzn-requestid': 'd2ab429f-6ff7-4f9b-9ec2-dbf494ebf20a',
   'content-type': 'application/x-amz-json-1.1',
   'content-length': '64',
   'date': 'Mon, 07 Feb 2022 16:31:36 GMT'},
  'RetryAttempts': 0}}
Abu Shoeb
  • 4,747
  • 2
  • 40
  • 45
0

UPDATE: Thanks for all the feedback y'all! It turns out us-west-1 doesn't support comprehend. Switching to a different availability zone did the trick, so I would recommend anyone with similar problems try different zones before digging too deep into permissions//access keys.

Okeefe Niemann
  • 91
  • 4
  • 1
    I see! Whenever I try any of the AWS services, the first thing I do is to select the us-east-1 to reduce one issue from the list :-P – Abu Shoeb Feb 08 '22 at 15:47
  • 1
    I've noticed this trend recently where I want to get incredibly deep into solving an issue without checking what I think is completely obvious. It's a great opportunity to dig deep into the concepts, but that can't be every technical issue I run into! – Okeefe Niemann Feb 16 '22 at 16:56