IAM role access denied on cross-account S3 buckets in Unity Catalog

Ensure that the IAM roles trust and access policies are correctly configured.

Written by Rolando García Vargas

Last published at: February 12th, 2025

Problem

When trying to leverage Unity Catalog to manage data access and permissions across different AWS accounts, your IAM role is unable to access a cross-account S3 bucket. You receive an access denied error when attempting to perform operations on the S3 bucket.

 

'User: <user-details>/XXXXXXXX,XXXXXXXX is not authorized to perform: <action> on this resource because the resource does not exist in this Region, no resource-based policies allow access, or a resource-based policy explicitly denies access; request: PUT'

 

Cause

The AWS IAM role Unity Catalog uses does not have the necessary permissions to generate data keys for the KMS key. This can occur due to:

  • Missing or incorrect IAM roles trust and access policies.
  • Incorrect S3 bucket resource policies.
  • Incorrect KMS resource policies.

 

Solution

First, ensure that the IAM roles trust and access policies are correctly configured. Verify that the role assumed by Unity Catalog has the necessary permissions to access the S3 bucket and the associated KMS key. Follow the steps in the Create a storage credential for connecting to AWS S3 documentation. 

Next, update the S3 bucket resource policy to allow access from the Unity Catalog production role. This includes specifying the correct actions and resources in the policy.
 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Example permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<your-AWS-account-ID>:role/<role-name>"

      },
      "Action": [
        "s3:GetBucketLocation",
        "s3:ListBucket"
      ],
      "Resource": "arn:aws:s3:::<your-bucket>"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<your-AWS-account-ID>:role/<role-name>"
      },
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject",
        "s3:PutObjectAcl"
      ],
      "Resource": "arn:aws:s3:::<your-bucket>/*"
    }
  ]
}

 

Then, grant the required permissions to the KMS key. Update the KMS key policy to include the Unity Catalog production role and allowing actions such as kms:GenerateDataKey.
 

{
  "Sid": "Enable Permissions to Key",
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::<your-AWS-account-ID>:role/<role-name>"
   },
  "Action":  [
              "kms:Decrypt",
              "kms:Encrypt",
              "kms:GenerateDataKey*"
          ],
  "Resource": "arn:aws:kms:<your-KMS-key>"
}

 

Verify that there are no region-specific restrictions or AWS organizational policies restricting access to S3 from different accounts. Contact AWS support to validate if necessary.
 

Last, test the configuration by attempting to access the S3 bucket from Unity Catalog. Ensure that the access is successful and that there are no further permission-related errors.

 

For more detailed information, refer to the What is Unity Catalog? documentation and the AWS Key policies in AWS KMS documentation.