Error occurred while trying to read bucket encryption configuration, please ensure that the s3:GetEncryptionConfiguration IAM permission is present

Question

Trying to run Airflow on AWS using Amazon MWAA service. While creating an environment, I am facing this issue with permissions.

Tried changing the policy of the IAM role by adding this following snippet to policy json.

{
    "Effect": "Allow",
    "Action": "s3:GetEncryptionConfiguration",
    "Resource": ["arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"]
}
}

Also, tried

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}

But no luck, any help or suggestion is much appreciated. Thank you.

Answer 1

I had the same error message. In my case it was fixed after my user role (not the MWAA execution role) got full access to the MWAA bucket. So something like:

{
      "Effect": "Allow",
      "Action": ["s3:*"],
      "Resource": [
          "arn:aws:s3:::{mwaa-bucket}",
          "arn:aws:s3:::{mwaa-bucket}/*"
      ]
}

You may want to reduce the scope of S3 permissions as needed.

You may also need to add this to the MWAA execution role:

{
    "Effect": "Allow",
    "Action": ["s3:GetAccountPublicAccessBlock"],
    "Resource": ["*"]
}

in case you created the execution role some time in the past. AWS updated their reference role definition at some point to include that permission as well. See https://docs.aws.amazon.com/mwaa/latest/userguide/mwaa-create-role.html#mwaa-create-role-aocmk