TechQA.

AWS Glue S3 VPC Endpoint Policy Issue

2.5k views Asked by At

When I create an S3 VPC endpoint for AWS Glue service to unload data from a redshift cluster, the ETL job only works when the VPC endpoint policy is set to "full access".

i.e

 {
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*",
            "Principal": "*"
        }
    ]
}

It does not work when the policy is set to "custom" and modified as below.

{
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": ["arn:aws:s3:::examplebucket",
                   "arn:aws:s3:::examplebucket/*"],
            "Principal": "*"
        }
    ]
}

In ETL job I have specified examplebucket as the location to save the ETL script and the temporary files, so I find it difficult to understand why the ETL job fails only when the policy is set to Custom. Does Glue try to access another S3 resource other than the specified bucket in job?

amazon-web-services amazon-s3 amazon-ec2 aws-glue
Original Q&A
1

There are 1 answers

0
AravindR On

Glue jobs also need the following: 1. Temporary directory in S3. 2. Location in S3 to store the generated python script.

For example, if the script location is not specified; glue automatically picks the following location "s3://aws-glue-scripts-YourAccountId-us-east-1/"

Make sure your IAM role policies reflect the s3 locations that you picked as well.

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-S3

Related Questions in AMAZON-EC2

Related Questions in AWS-GLUE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions