Iam trying to deploy data lake on AWS using the source : https://aws-ia.github.io/cfn-ps-datalake-foundation/ but iam getting error.
Data-lake-foundation-DataLakeFoundationStack-IS67G4LRJQIU-ElasticsearchStack-YY9NNQARTKAR
CREATE_FAILED
The following resource(s) failed to create: [CopyLambdaDeployment].
Cloud Watch Logs :
An error occurred (AccessDenied) when calling the CopyObject operation: Access Denied
What is the solution for this?
Please find the screenshots.enter image description here
I tried add IAM permissions, according to the solutions received but none of them worked.
IAM Permissions for a role to deploy data lake.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket",
"s3:CreateBucket",
"s3:PutBucketPolicy",
"s3:DeleteBucket",
"s3:PutBucketNotification",
"s3:PutBucketAcl",
"s3:GetObjectTagging",
"s3:PutObjectTagging",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::datalake-submissions/*",
"arn:aws:s3:::datalake-curated-datasets/*",
"arn:aws:s3:::datalake-published-data/*",
"arn:aws:s3:::regional-lambda-bucket/*",
"arn:aws:s3:::datalake-athena-query-results/*"
]
},
{
"Effect": "Allow",
"Action": [
"kinesis:*",
"kinesisanalytics:*",
"lambda:*",
"glue:*",
"kinesis:CreateStream",
"kinesis:DescribeStream",
"kinesis:PutRecord",
"kinesis:PutRecords",
"lambda:CreateFunction",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"lambda:GetFunction",
"lambda:DeleteFunction",
"lambda:ListFunctions",
"athena:*",
"redshift:*",
"quicksight:*",
"sns:*",
"sagemaker:*",
"ec2:Describe*",
"firehose:DescribeDeliveryStream",
"firehose:ListDeliveryStreams",
"firehose:PutRecord",
"firehose:PutRecordBatch",
"ec2:CreateLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:CreateTags",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ssm:GetParameters",
"ssm:GetParameter",
"ssm:DescribeParameters",
"ec2:DeleteTags",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:PassRole",
"iam:DeleteRole",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:AttachNetworkInterface",
"ec2:DetachNetworkInterface",
"elasticloadbalancing:*",
"logs:*",
"cloudformation:*",
"cloudwatch:*",
"es:*"
],
"Resource": "*"
}
]
}
Nikhil Chittimalla is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
In order to perform CopyObject action you need the below permissions:
s3:GetObject
s3:PutObject
s3express:CreateSession
You might also need:
s3:PutObjectTagging
s3:ListBucket
s3:PutObjectTagging
For using create session you’re account should have those permissions:
s3express:DeleteBucket
s3express:DeleteBucketPolicy
s3express:CreateBucket
s3express:PutBucketPolicy
s3express:GetBucketPolicy
s3express:ListAllMyDirectoryBuckets
4