I have a Glue job which fetches data from one s3 bucket and transfer/Put it into another. My job is working properly if I disable KMS Encryption but not working with the KMS Encryption enabled.
Error: An error occurred while calling o79.pyWriteDynamicFrame. Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied)
I have added this policy also
{
"Effect": "Allow",
"Action": [
"kms:Decrypt"
],
"Resource": [
"arn:aws:kms:region:account-name:key/kms-encryptionkey"
]
}
Suggest how I can transfer data between s3 buckets using Glue with KMS Encryption Enabled.
First, you have to check whether the KMS key policy allows access to the IAM role used by Glue since only IAM permission is not enough. You can also include the IAM role in the key policy and that'll be one approach.
If you want to give KMS permission via IAM policy, then add following API actions:
1> To PutObject and encrypt it, add "kms:GenerateDataKey" with key ID as a resource.
2> To GetObject (and decrypt it), "kms:Decrypt" (which you have)