Reputation: 11
What bucket permissions/policies are required to update MagneticStoreRejectedDataLocation in Timestream table?
I'd like to configure Magnetic Storage writes on a Timestream table, and provided an s3 bucket that should be writeable from the account used to configure the Timestream table settings.
I verified I can write to this bucket using my AWS account by putting a test file there.
When I try to save, I get: The S3 bucket [xxxxxxxxx] doesn't exist, or you don't have sufficient permission to access it, or it does not belong to your account.
Bucket settings:
- block public access
- bucket acl ownernship = "ObjectWriter"
I've tried attaching a policy to the s3 bucket that allows the principals AWS_ACCOUNT, timesetream.amazonaws, AWSBackupDefaultServiceRole and AWSServiceRoleForBackup all s3 Actions (s3.*) with the bucket specified as the Resource:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BackupAllowWriteToS3ErrorLogs",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::{AWS_ACCOUNT}:role/service-role/AWSBackupDefaultServiceRole",
"arn:aws:iam::{AWS_ACCOUNT}:role/aws-service-role/backup.amazonaws.com/AWSServiceRoleForBackup"
]
},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::my-error-logs",
"arn:aws:s3:::my-error-logs/*"
]
},
{
"Sid": "DeveloperAccountAllowWriteToS3ErrorLogs",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::{AWS_ACCOUNT}:root"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-error-logs",
"arn:aws:s3:::my-error-logs/*"
]
},
{
"Sid": "TimestreamAllowWriteToS3ErrorLogs",
"Effect": "Allow",
"Principal": {
"Service": "timestream.amazonaws.com"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-error-logs",
"arn:aws:s3:::my-error-logs/*"
]
}
]
}
As I was initially having problems getting this working with Backup restore, I also created a policy in AWSBackupDefaultServiceRole that allows basic s3 actions on the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::my-error-logs"
}
]
}
However, in the role's "Permissions policies", it shows 0 attached entities for this policy, even though it is shown. I'm not sure what's wrong here.
What role is assumed when trying to update this Timestream table from the AWS console? Are there are other roles that need to be able to write to this bucket besides Timestream? What do I need to enable this?
Upvotes: 1
Views: 15
Answers (0)
Related Questions
- Getting "Insufficient permissions to list objects" error with S3 bucket policy
- AWS IAM role principal vs role session principal
- Deny GetObject for all S3 bucket
- What is exactly "Assume" a role in AWS?
- AWS s3 bucket policy invalid group principal
- Accessing Kibana of AWS ElasticSearch by Gateway using AWS IAM
- AWS-IAM: Giving access to a single bucket
- Enabling AWS IAM Users access to shared bucket/objects
- Proper s3 permissions for users uploading image files with carrierwave