CODEWITHSUNDEEP
boto3amazon-iamaws-batch
Sagi Mann
Sagi Mann

Reputation: 3610

botocore.exceptions.ClientError: An error occurred (AccessDeniedException)

I am having trouble submitting a AWS batch job from within another batch job:

I'm using a compute environment with the default service AWSBatchServiceRole and the default instance ecsInstanceRole. I've set up a job definition myjobdef with a job role MyJobRole that contains action * on AWS batch, just for testing. It also has a trust relationship:

{
"Version": "2012-10-17",
"Statement": [
    {
    "Effect": "Allow",
    "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
    },
    "Action": "sts:AssumeRole"
    }
]
}

I'm using python 3.7 and the latest boto3. When calling batch_client.submit_job(...) from my local docker container with my own credentials, it works. When running the same from within a AWS batch with the mentioned roles, I get an exception:

botocore.exceptions.ClientError: An error occurred (AccessDeniedException)
when calling the SubmitJob operation: User: arn:aws:sts::<account_id>:assumed-role/MyJobRole/xxxx-xxxx-xxx-xx is not authorized to perform: batch:SubmitJob on resource: arn:aws:batch:<region>:<account_id>:job-definition/my_job_def

Any ideas how to troubleshoot this?

Upvotes: 1

Views: 4904

Answers (1)

Marcin
Marcin

Reputation: 238199

Based on the comments. The issue was correctly determined to be caused by missing permissions to execute batch:SubmitJob action in the batch job role. The action:

Submits an AWS Batch job from a job definition.

Upvotes: 1

Related Questions