I am trying to create a Datasource using AWS Machine learning SDK. At first i'm upload csv data file to S3 storage also throgh the SDK. Then i update bucket policy for this file. Only after all i'm trying create datasource but i receive error :
FAILURES (1): You don't have permission to access 's3://training-data/input/test-likes.csv'. Contact the owner of 's3://training-data/input/test-likes.csv' to get read access.
What permissions are required else ?
This is my bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AmazonML_s3:ListBucket",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::831986290820:user/pavel.emsow",
"Service": "machinelearning.amazonaws.com"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::trainig-data",
"Condition": {
"StringLike": {
"s3:prefix": [
"input/common-likes.csv*",
"input/test-likes.csv*"
]
}
}
},
{
"Sid": "AmazonML_s3:GetObject",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::831986290820:user/pavel.emsow",
"Service": "machinelearning.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::trainig-data/input/common-likes.csv*",
"arn:aws:s3:::trainig-data/input/test-likes.csv*"
]
}
]
}
I ran into this error when trying to create an ML model from an S3 datasource. In addition to my (similar) bucket policy, I had to modify the IAM role that was used when calling the machine learning API. I attached a Full-Access S3 policy to the IAM role and the call succeeded. The Full-Access policy may be too broad and it may be possible to reduce it to S3 read-only and still have the call succeed.