Reputation: 11
Issues with my iam role when using AWS lambda to trigger an async amazon Comprehend job
I am currently using AWS lambda to trigger an asynch Amazon Comprehend job. The data I am using is stored in an input folder in a S3 bucket, and I am trying to output the file in that same bucket, in an output folder. The roles I have for this job are "ComprehendFullAccess" and "AWSLambdaExecute", and this is the following code.
import boto3
def lambda_handler(event, context):
s3 = boto3.client("s3")
bucket = "bucketName"
key = "input/inputTextFile.txt"
text = s3.get_object(Bucket = bucket, Key = key)
review = str(text['Body'].read())
client = boto3.client('comprehend')
response = client.start_sentiment_detection_job(
InputDataConfig={
'S3Uri': 's3://bucketName/input/inputTextFile.txt',
'InputFormat': 'ONE_DOC_PER_LINE',
'DocumentReaderConfig': {
'DocumentReadAction': 'TEXTRACT_ANALYZE_DOCUMENT',
'DocumentReadMode': 'SERVICE_DEFAULT',
'FeatureTypes': [
'FORMS'
]
}
},
OutputDataConfig={
'S3Uri': 's3://bucketName/output/'
},
DataAccessRoleArn='arn:aws:iam::randomNumbers:role/testrole',
JobName='nameOfMyJob',
LanguageCode='en'
)
print(response)
return "response"
It keeps generating this error:
{
"errorMessage": "An error occurred (AccessDeniedException) when calling the StartSentimentDetectionJob operation: User: arn:aws:sts::randomNumbers:assumed-role/testrole/testfunc is not authorized to perform: iam:PassRole on resource: arn:aws:iam::randomNumbers:role/testrole because no identity-based policy allows the iam:PassRole action",
"errorType": "ClientError",
"requestId": "d3a54dbd-a011-42f0-bc74-440ce9cbaa8d",
"stackTrace": [
" File \"/var/task/lambda_function.py\", line 10, in lambda_handler\n response = client.start_sentiment_detection_job(\n",
" File \"/var/runtime/botocore/client.py\", line 391, in _api_call\n return self._make_api_call(operation_name, kwargs)\n",
" File \"/var/runtime/botocore/client.py\", line 719, in _make_api_call\n raise error_class(parsed_response, operation_name)\n"
]
}
I am not sure if there is an error with my code, or if it is a role/permission issue. For the role, this is what I have as my trust entity:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Is this a code or a permission issue? Here is the API I used for the response line: https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/comprehend.html#Comprehend.Client.start_sentiment_detection_job Thanks in advance for the help!
Edit: here is my updated user json policy:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::randomNumbers:role/testrole"
}]
}
Upvotes: 1
Views: 861
Answers (1)
Reputation: 211
Simply put, your user arn:aws:sts::randomNumbers:assumed-role/testrole/testfunc needs this policy attached.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::randomNumbers:role/testrole"
}]
}
Refer to this doc for more information as to why iam:PassRole is needed.
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html
Upvotes: 1
Related Questions
- AWS lambda to assume role in the same aws account to access S3
- Assumed role in AWS Lambda, access denied on SSM call
- AWS IAM Lambda "is not authorized to perform: lambda:GetFunction"
- AWS IAM Comprehend Issue
- Policy to allow lambda:InvokeFunction to an IAM Assumed Role
- How to properly setup an IAM execution role and a bucket policy for getting lambda writing to a public read S3 bucket?
- Running an AWS Lambda function Under Different IAM Roles
- Lambda call fails with no permission error
- IAM Roles Assume Role Permission
- S3 Bucket Policy and IAM Role Conflicting